Security Bulletin: IBM Spectrum Scale is affected by a security vulnerability (CVE-2016-0263)

Summary

A security vulnerability has been identified in the current levels of IBM Spectrum Scale V4.2, V4.1 and IBM General Parallel File System V3.5, that could allow a local user, under special circumstances, to escalate their privileges or cause a denial of service when the mmapplypolicy command is issued with certain options and syntax.

Vulnerability Details

CVEID: CVE-2016-0263**
DESCRIPTION:** IBM General Parallel File System could allow a local user under special circumstances to escalate their privileges or cause a denial of service.
CVSS Base Score: 7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110661 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Scale V4.2
IBM Spectrum Scale V4.1
IBM General Parallel File System V3.5

Remediation/Fixes

To apply the fix for the mmapplypolicy command vulnerability, install the latest level of code available.

For IBM Spectrum Scale V4.2.0.0 thru V4.2.0.1, apply V4.2.0.2 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=All&platform=All&function=all

For IBM Spectrum Scale V4.1.0.0 thru V4.1.1.4, apply V4.1.1.5 available at http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

For IBM General Parallel File System V3.5.0.0 thru V3.5.0.29, apply V3.5.0.30 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=All&function=all

Workarounds and Mitigations

None