A security vulnerability has been identified in the current levels of IBM Spectrum Scale V4.1.1 thru 4.1.1.3 and V4.2.0.0 that could allow a local, unprivileged user or a user with network access to the IBM Spectrum Scale cluster, access to the LDAP directory bind user password when File protocol is deployed with LDAP / LDAP with Kerberos based authentication.
CVEID: CVE-2015-7488 DESCRIPTION: IBM Spectrum Scale could allow a local, unprivileged user or a user with network access to the IBM Spectrum Scale cluster_, _ access to the_ _LDAP directory bind user password when File protocol is deployed with LDAP / LDAP with Kerberos based authentication.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108784 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
IBM Spectrum Scale V4.1.1 thru 4.1.1.3 and V4.2
The following fixes will need to be applied to all nodes in the cluster regardless of whether they are configured as protocol nodes or not.
For IBM Spectrum Scale V4.1.1.0 thru 4.1.1.3, apply 4.1.1.4 available at http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all
For IBM Spectrum Scale V4.2, apply 4.2.0.1 available at
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=All&platform=All&function=all
After all nodes have either been upgraded to 4.1.1.4 or 4.2.0.1, run the following commands:
mmlsconfig minReleaseLevel
Verify the reported value of minReleaseLevel is 4.1.1.4 or higher. The value should be 4.2.0.1 if all nodes in the cluster are running with version 4.2.0.1 .
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum scale | eq | 4.1.1 | |
ibm spectrum scale | eq | 4.2.0 |