Security Bulletin: IBM Spectrum Scale deployments with the Object Protocols functionality enabled are affected by a security vulnerability in Python (CVE-2017-2592)

Summary

IBM Spectrum Scale deployments with the Object Protocols functionality enabled are affected by a security vulnerability in Python that could allow a local authenticated attacker to obtain sensitive information, caused by including sensitive data in the CatchError class. A local attacker could exploit this vulnerability to obtain sensitive information. (CVE-2017-2592)

Vulnerability Details

CVEID: CVE-2017-2592 DESCRIPTION: Python oslo.middleware package could allow a local authenticated attacker to obtain sensitive information, caused by including sensitive data in the CatchError class. A local attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123956 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N)

Affected Products and Versions

IBM Spectrum Scale V4.2.2.0 thru V4.2.2.3

IBM Spectrum Scale V4.2.1.0 thru V4.2.1.2

Remediation/Fixes

For IBM Spectrum Scale V4.2.1.0 thru V4.2.1.2 and V4.2.2.0 thru V4.2.2.3, apply V4.2.3, or later, available from FixCentral at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.3&platform=All&function=all

If you cannot apply the latest level of service, contact IBM Service for an efix referencing APAR IV98405.

To contact IBM Service, see http://www.ibm.com/planetwide/

Note: IBM Spectrum Scale V4.1.1 and V4.2.0 are not affected

Workarounds and Mitigations

None