logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Vulnerabilities in OpenSSH and OpenSSL affect GPFS for Windows V3.5

Description

## Summary OpenSSH vulnerabilities were disclosed on December 23, 2016 by the OpenSSH Project. OpenSSL vulnerabilities were disclosed on November 10, 2016 and January 26, 2017 by the OpenSSL Project. OpenSSH and OpenSSL are used by GPFS V3.5 for Windows. GPFS V3.5 for Windows has addressed the applicable CVEs. ## Vulnerability Details **CVEID:** [_CVE-2016-10009_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009>)** DESCRIPTION:** OpenSSH could allow a remote authenticated attacker to execute arbitrary code on the system, caused by the loading of a specially crafted PKCS#11 module across a forwarded agent channel. An attacker could exploit this vulnerability to write files or execute arbitrary code on the system. CVSS Base Score: 6.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119828_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119828>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-10010_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010>)** DESCRIPTION:** OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when privilege separation is disabled. An attacker could exploit this vulnerability using a forwarded Unix-domain socket to gain root privileges on the system. CVSS Base Score: 8.4 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119829_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119829>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) **CVEID:** [_CVE-2016-10011_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011>)** DESCRIPTION:** OpenSSH could allow a local authenticated attacker to obtain sensitive information, caused by a privilege separation flaw. An attacker could exploit this vulnerability to obtain host private key material and other sensitive information. CVSS Base Score: 5.5 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119830_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119830>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) **CVEID:** [_CVE-2016-10012_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012>)** DESCRIPTION:** OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by improper bounds checking in the shared memory manager. An attacker could exploit this vulnerability to gain elevated privileges on the system. CVSS Base Score: 5.9 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119831_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119831>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) **CVEID:** [_CVE-2016-7055_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7055>)** DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error in a Broadwell-specific Montgomery multiplication procedure. By sending specially crafted data, a remote attacker could exploit this vulnerability to trigger errors in public-key operations in configurations where multiple remote clients select an affected EC algorithm and cause a denial of service. CVSS Base Score: 5.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118748_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118748>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [_CVE-2017-3731_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3731>)** DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read when using a specific cipher. By sending specially crafted truncated packets, a remote attacker could exploit this vulnerability using CHACHA20/POLY1305 to cause the application to crash. CVSS Base Score: 5.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121312_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121312>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) **CVEID:** [_CVE-2017-3732_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3732>)** DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by a propagation error in the BN_mod_exp() function. An attacker could exploit this vulnerability to obtain information about the private key. CVSS Base Score: 5.3 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121313_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121313>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## Affected Products and Versions OpenSSH for GPFS V3.5 for Windows ## Remediation/Fixes In GPFS V3.5.0.34, IBM upgraded OpenSSH for GPFS on Windows to 7.4p1 and to use OpenSSL 1.0.2k to address these vulnerabilities. System administrators should update their systems to GPFS V3.5.0.34 by following the steps below. 1\. Download the GPFS 3.5.0.34 update package into any directory on your system from [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%2Bsoftware&product=ibm/power/IBM+General+Parallel+File+System&release=3.5.0&platform=Windows&function=all>) 2\. Extract the contents of the ZIP archive so that the .msi file it includes is directly accessible to your system. 3\. Follow the instructions in the README included in the update package in order to install the OpenSSH msi package. This updated OpenSSH 7.4.p1 msi package is built using OpenSSL 1.02k. If GPFS multiclustering is configured on Windows nodes, upgrade all OpenSSL packages that may have been installed. The following can be done on a small group of nodes at each time (ensuring that quorum is maintained) to maintain file system availability: a. Stop GPFS on the node b. Install the version of OpenSSL c. Restart GPFS on the node ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> "Link resides outside of ibm.com" ) [On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> "Link resides outside of ibm.com" ) [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 25 March 2017:Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer Review the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment. [{"Product":{"code":"SSFKCN","label":"General Parallel File System"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"3.5.0","Edition":"","Line of Business":{"code":"","label":""}}]


Affected Software


CPE Name Name Version
general parallel file system 3.5.0

Related