Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF Suite and IBM Spectrum LSF Suite for HPA in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Refer to the security bulletins(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Suite for HPA | 10.2 |
IBM Spectrum LSF Suite | 10.2 |
Remove suid bit from these binaries by using “chmod -s <filename>” command: lsadmin, badmin, egosh, utmpreg.
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF Suite 10.2.0.10 and LSF Suite for HPA 10.2.0.10.
See Above
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum lsf suite for workgroups | eq | 10.2 | |
ibm spectrum lsf suite for hpa | eq | 10.2 | |
ibm spectrum lsf suite for hpc | eq | 10.2 |