Security Bulletin: The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale (CVE-2018-1782)

Summary

The Elastic Storage Server is affected by a vulnerability in IBM Spectrum Scale which could allow a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system. (CVE-2018-1782).

Vulnerability Details

CVEID: CVE-2018-1782 DESCRIPTION: IBM GPFS allows a local, unprivileged user to cause a kernel panic on a node running GPFS by accessing a file that is stored on a GPFS file system with mmap, or by executing a crafted file stored on a GPFS file system.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148805&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

Affected Products and Versions

The Elastic Storage Server 5.3.1 thru 5.3.1.1

Remediation/Fixes

For IBM Elastic Storage Server V5.3.1 thru 5.3.1.1, apply V5.3.2 available from FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.3.0&platform=Linux+64-bit,pSeries&function=all

Notes:
If you are unable to upgrade to ESS 5.3.2, please contact IBM Service to obtain an efix:

- For IBM Elastic Storage Server 5.3.1 - 5.3.1.1, reference APAR IJ08204

To contact IBM Service, see http://www.ibm.com/planetwide/

Workarounds and Mitigations

None