Security Bulletin: A format string vulnerability has been identified in IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2021-29740)

Summary

A security vulnerability has been identified in all levels of IBM Elastic Storage System that could allow an attacker to execute arbirtary code in IBM Spectrum Scale file system. A fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2021-29740
**DESCRIPTION:**IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201474 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM recommends that you fix this vulnerability by upgrading affected versions of IBM Elastic Storage System 3000 and 5000 to the following code levels or higher:

V6.1.1.0 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.1.0&platform=All&function=all

V6.0.2.1 or later

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=6.0.0&platform=All&function=all

Workarounds and Mitigations

None