Security Bulletin: A vulnerability in IBM Spectrum Scale CSI could allow unauthorized access (CVE-2022-40607)

Summary

A security vulnerability has been identified in IBM Spectrum Scale CSI that could allow unauthorized access. A fix for this vulnerability is available.

Vulnerability Details

CVEID:CVE-2022-40607
**DESCRIPTION:**IBM Spectrum Scale could allow users with permissions to create pod, persistent volume and persistent volume claim to access files and directories outside of the volume, including on the host filesystem.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235740 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

For IBM Spectrum Scale CSI 2.6.0 or before (CNSA 5.1.4.0 or before), apply Spectrum Scale CSI 2.6.1 or later (CNSA 5.1.4.1 or later)

If you are using standalone CSI, please follow the IBM Spectrum Scale CSI instructions for upgrade steps to Spectrum Scale CSI 2.6.1 or later : <https://www.ibm.com/docs/en/spectrum-scale-csi&gt;

If you are using CSI deployed with CNSA, please follow the IBM Spectrum Scale Container Native instructions for upgrade steps to Spectrum Scale Container Native Storage Access 5.1.4.1 or later: <https://www.ibm.com/docs/en/scalecontainernative&gt;

Note: This security vulnerability does not impact the non-containerized Scale images used either as the base for the standalone CSI, or in a remote mount storage cluster for CSI or CNSA; however, the CSI or CNSA versions being upgraded to may require to upgrade the non-containerized Scale images in those environments. The required non-containerized Scale can be downloaded from FixCentral.

Workarounds and Mitigations

None