Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925)

Summary

A security vulnerability has been identified in all levels of IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests. A fix for this vulnerability is available

Vulnerability Details

CVEID:CVE-2020-4925
**DESCRIPTION:**A security vulnerability in the Spectrum Scale allows a non-root user to overflow the mmfsd daemon with requests and preventing the daemon to service other requests.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191599 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

For IBM Spectrum Scale levels lower than V5.1.1, apply V5.1.1 or later available (including 5.1.2 or later) from FixCentral at:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=5.1.1&platform=All&function=all

In addition to applying the recommended code level, ensure that the sdrNotifyAuthEnabled configuration variable is set to ‘yes’, which requires a cluster minimum release level of 5.1.1 or later.

See <<mmchconfig command>> for more details - <https://www.ibm.com/docs/en/spectrum-scale/5.1.1?topic=reference-mmchconfig-command&gt;

Note : Systems running supported version should be upgraded to the current release containing the security fixes.

Workarounds and Mitigations

None