Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2015-0197 and CVE-2015-0199)

Summary

A fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities

Vulnerability Details

IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.

CVEID: CVE-2015-0197

**DESCRIPTION:**IBM General Parallel File System could allow a local attacker which only has a non-privileged account to execute programs with root privileges.

CVSS Base Score: 6.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101224&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVEID:CVE-2015-0199

**DESCRIPTION:**IBM General Parallel File System allows attackers to cause memory corruption. A local attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 6.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101226&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Affected Products and Versions

IBM Storwize V7000 Unified
The product is affected when running a code releases 1.3.0.0 to 1.5.2.0

Remediation/Fixes

A fix for these issues is in version 1.5.2.1 of IBM Storwize V7000 Unified. Customers running an affected version of Storwize V7000 Unified should upgrade to 1.5.2.1 or a later version, so that the fix gets applied.

Latest Storwize V7000 Unified Software

Workarounds and Mitigations

Workaround(s): None

Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.