Security Bulletin: Multiple vulnerabilities in GPFS affects IBM® DB2® LUW on AIX and Linux (CVE-2015-0197, CVE-2015-0198, CVE-2015-0199)

Summary

There are multiple vulnerabilities in IBM® General Parallel File System, Versions V3.4 and V3.5 that are used by DB2® pureScale™ Feature on AIX and Linux.

Vulnerability Details

CVEID: CVE-2015-0197**
DESCRIPTION:** IBM General Parallel File System could allow a local attacker which only has a non-privileged account to execute programs with root privileges.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101224 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C)
**
CVEID:** CVE-2015-0198**
DESCRIPTION:** IBM General Parallel File System may not properly authenticate network requests and could allow an attacker to execute programs remotely with root privileges.
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101225 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0199**
DESCRIPTION:** IBM General Parallel File System allows attackers to cause kernel memory corruption by issuing specific ioctl calls to a character device provided by the mmfslinux kernel module and cause a denial of service.
CVSS Base Score: 6.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101226 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:N/A:C)

Affected Products and Versions

Customers who have DB2® pureScale™ Feature installed in their DB2 database system are affected.

For CVE-2015-0198, you are not affected if either of the following are true:

• the cipherList configuration variable is set to AUTHONLY or to a cipher
  or
• only trusted nodes/processes/users can initiate connections to GPFS nodes

All fix pack levels of IBM DB2 V10.1 and V10.5 editions listed below and running on AIX and Linux are affected.

IBM DB2 Express Edition
IBM DB2 Workgroup Server Edition
IBM DB2 Enterprise Server Edition
IBM DB2 Advanced Enterprise Server Edition
IBM DB2 Advanced Workgroup Server Edition
IBM DB2 Connect™ Application Server Edition
IBM DB2 Connect™ Enterprise Edition
IBM DB2 Connect™ Unlimited Edition for System i®
IBM DB2 Connect™ Unlimited Edition for System z®

IBM DB2 pureScale™ Feature for Enterprise Server Edition, V9.8, running on AIX or Linux is affected.

Remediation/Fixes

The recommended solution is to apply the appropriate fix for this vulnerability.

FIX:
The fix for DB2 and DB2 Connect V10.1 is in V10.1 FP5 and V10.5 is in V10.5 FP6, available for download from Fix Central.

Customers running any vulnerable fixpack level of an affected Program, V9.8 can contact support to obtain a special build containing an interim fix for this issue. These special builds are available based on the most recent fixpack level for each impacted release: DB2 V9.8 FP5. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability. Additionally fixes based on DB2 V10.5 FP5 will be made available on request.

Refer to the folowing chart to determine how to proceed to obtain a needed fixpack or special build.

For CVE-2015-0198, after applying the appropriate fix pack or special build, set cipherList to AUTHONLY.

To enable AUTHONLY without shutting down the daemon on all nodes:

• Install the fix pack or special build containing the fix on all nodes in the cluster one node at a time
• Generate SSL keys by running the mmauth genkey new command.
• Enable AUTHONLY by running the mmauth update . -l AUTHONLY command. If the** mmauth update**command fails, examine the messages, correct the problems (or shut down the daemon on the problem node) and repeat the mmauth update command above.

Note: Applying the fix pack or special build on all nodes in the cluster will allow you to switch cipherList dynamically without shutting down the GPFS daemons across the cluster.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with DB2 Technical Support.

Note:_ IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion._

Workarounds and Mitigations

For CVE-2015-0197 and CVE-2015-0199, there are no workarounds or mitigations.

For CVE-2015-0198, set cipherList to AUTHONLY, or to a real cipher. Follow the instructions above if the fix pack or special build was installed on all the nodes in the cluster. Otherwise:

• Generate SSL keys by running the mmauth genkey new command
• Shut down the GPFS daemon on all nodes on the cluster
• Enable AUTHONLY by running mmauth update . -l AUTHONLY