Security Bulletin: A vulnerability in IBM Spectrum Scale packaged in IBM Elastic Storage Server could cause a denial of service ( CVE-2020-4411)

Summary

A security vulnerability has been identified in all levels of IBM Elastic Storage Server that could allow a local attacker to cause a denial of service. A fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2020-4411
**DESCRIPTION:**The Spectrum Scale 4.2.0.0 through 4.2.3.21 and 5.0.0.0 through 5.0.4.3 file system component is affected by a denial of service vulnerability in its kernel module that could allow an attacker to cause a denial of service condition on the affected system. To exploit this vulnerability, a local attacker could invoke a subset of ioctls on the Spectrum Scale device with non-valid arguments. This could allow the attacker to crash the kernel. IBM X-Force ID: 179986.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179986 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Affected Products and Versions

The Elastic Storage Server 5.3.0 through 5.3.5
The Elastic Storage Server 5.0.0 through 5.2.9
The Elastic Storage Server 4.5.0 through 4.6.0.0
The Elastic Storage Server 4.0.0 through 4.0.6.0

Remediation/Fixes

For IBM Elastic Storage Server V5.3.0. through V5.3.5, apply V5.3.6 available from FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.3.0&platform=All&function=all

For IBM Elastic Storage Server V5.0.0. through 5.2.9, apply V5.2.10 available from FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.2.0&platform=All&function=all

Workarounds and Mitigations

None