Security Bulletin: IBM Spectrum Scale V4.1.1, IBM GPFS V4.1, and IBM V3.5 for AIX are affected by a security vulnerability (CVE-2015-7403)

Summary

A security vulnerability has been identified in the current levels of IBM Spectrum Scale V4.1.1, IBM GPFS V4.1 and V3.5 that could allow a local attacker to cause the node they are on to crash.

Vulnerability Details

CVEID: CVE-2015-7403

DESCRIPTION: IBM General Parallel File System is vulnerable to a denial of service, caused by a user pointer dereference. A local attacker could exploit this vulnerability to cause the GPFS they are on to crash.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107108 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Spectrum Scale V4.1.1.0 thru V4.1.1.2

IBM GPFS V4.1.0.0 thru V4.1.0.8

IBM GPFS V3.5.0.0 thru V3.5.0.28

Note: Only the AIX platform is affected

For GPFS V3.4 and lower,_ IBM recommends upgrading to a fixed, supported version/release of the product._

Remediation/Fixes

Apply IBM Spectrum Scale V4.1.1.3 for AIX or IBM GPFS V3.5.0.29 for AIX as appropriate for your level of code available from Fix Central:

- For IBM Spectrum Scale V4.1.1 and IBM GPFS V4.1 for AIX, apply V4.1.1.3 at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=AIX&function=all

- For IBM GPFS V3.5 apply V3.5.0.29 for AIX at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=AIX&function=all

Workarounds and Mitigations

None