IBME46039BB828E7BA920BA590BF991C92F883718A29C4B2AC3E749E8459103B1B9Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-0392)
EPSS
Percentile
44.7%
Summary
A fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities
Vulnerability Details
IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.
CVEID: CVE-2016-0392**
DESCRIPTION:** IBM General Parallel File System could allow a local attacker to inject commands into setuid file parameters and execute commands as root.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112611 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Storwize V7000 Unified
The product is affected when running a code releases 1.5.. to 1.6..
Remediation/Fixes
IBM recommends that you fix these vulnerabilities by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher:
1.5.2.5 and 1.6.2.0.
Latest Storwize V7000 Unified Software
Workarounds and Mitigations
Workaround : is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. Determine the set of files with setuid bit by running
ls -l /usr/lpp/mmfs/bin | grep r-s
Then reset the setuid bit for each such file by issuing this command on each file
chmod u-s file
Mitigation : None
Related
EPSS
Percentile
44.7%