Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2016-2985 and CVE-2016-2984)

Summary

There are vulnerabilities in IBM Spectrum Scale packaged with IBM Spectrum Scale RAID for the Elastic Storage Server and the GPFS Storage Server.

Vulnerability Details

CVEID: CVE-2016-2985**
DESCRIPTION:** A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by setting environment variables processed by setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-2984**
DESCRIPTION:** A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by supplying command line parameters to setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The Elastic Storage Server versions 4.0, 3.5, 3.0 and 2.5

The GPFS Storage Server version 2.0

Remediation/Fixes

For the Elastic Storage Server 4.0.0 thru 4.0.5, upgrade to 4.0.6, available at_
_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.2.0&platform=All&function=all

For the Elastic Storage Server 3.5.0 thru 3.5.5, upgrade to 3.5.6 available at_
_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 3.0.0 thru 3.0.5, upgrade to 3.5.6 available at _
_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale+RAID&release=4.1.1&platform=All&function=all

For the Elastic Storage Server 2.5.0 thru 2.5.5 and the GPFS Storage Server 2.0.0 thru 2.0.7, contact IBM Service referencing APAR IV88320. See http://www.ibm.com/planetwide/

Workarounds and Mitigations

Until the fixes can be applied, a workaround is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. Determine the set of files with setuid bit by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Then reset the setuid bit for each such file by issuing this command on each file

chmod u-sfile

Once the workaround is applied, a number of commands may no longer work when not invoked by unprivileged users, including:

mmchfileset mmcrsnapshot mmdelsnapshot mmdf mmedquota mmgetacl mmlsdisk mmlsfileset mmlsfs mmlsmgr mmlspolicy mmlspool mmlsquota mmlssnapshot mmputacl mmsnapdir