Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2015-4974 and CVE-2015-4981)

Summary

A fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities

Vulnerability Details

IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.

CVEID: CVE-2015-4974

**DESCRIPTION:**IBM General Parallel File System could allow a local non-privileged attacker to execute commands with root privileges.

CVSS Base Score: 8.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/105789&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:N/UI:N/S:U/CI:H/I:H/A:H)

CVEID:CVE-2015-4981

**DESCRIPTION:**IBM General Parallel File System could allow a local non-privileged attacker to read system memory contents.

CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/105831&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:N/UI:N/S:U/CI:L/I:N/A:N)

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running a code releases 1.5.0.0 to 1.5.2.1

Remediation/Fixes

IBM recommends that you fix these vulnerabilities by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher:

1.5.2.2

Latest Storwize V7000 Unified Software

Workarounds and Mitigations

Workaround(s): None

Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.