A fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities
IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.
CVEID: CVE-2016-2985 DESCRIPTION: A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by setting environment variables processed by setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/CI:H/I:H/A:H)
**
CVEID**: CVE-2016-2984 DESCRIPTION: A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by supplying command line parameters to setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/CI:H/I:H/A:H)
IBM Storwize V7000 Unified
The product is affected when running code releases 1.5.. to 1.6..
IBM recommends that you fix these vulnerabilities by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher:
1.5.2.5 and 1.6.2.0.
Latest Storwize V7000 Unified Software
Workaround(s): None
Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.