Security Bulletin: IBM Spectrum Scale and IBM GPFS are affected by security vulnerabilities (CVE-2015-4974, CVE-2015-4981)

Summary

Security vulnerabilities have been identified in the current levels of IBM Spectrum Scale V4.1.1, IBM GPFS V4.1 and V3.5:
- could allow a local non privileged attacker to execute commands with root privileges (CVE-2015-4974)
- could allow a local non privileged attacker to read system memory contents (CVE-2015-4981)

Vulnerability Details

CVEID: CVE-2015-4974 DESCRIPTION: IBM General Parallel File System could allow a local non privileged attacker to execute commands with root privileges.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105789 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2015-4981 DESCRIPTION: IBM General Parallel File System could allow a local non privileged attacker to read system memory contents.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105831 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Spectrum Scale V4.1.1.0 thru V4.1.1.1

IBM GPFS V4.1.0.0 thru V4.1.0.8

IBM GPFS V3.5.0.0 thru V3.5.0.26

Remediation/Fixes

Apply IBM Spectrum Scale V4.1.1.2 or IBM GPFS V3.5.0.27 as appropriate for your level of code available from Fix Central:

- For IBM Spectrum Scale V4.1.1 and IBM GPFS V4.1, apply V4.1.1.2 athttp://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

- For IBM GPFS V3.5 apply V3.5.0.27 at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=All&function=all

Workarounds and Mitigations

None