IBMF0A307FFDEBF67056C137B5B887B4691682A5708C691030FC3FEB5408B070618Security Bulletin: GPFS security vulnerabilities in IBM Storwize V7000 Unified (CVE-2016-2985 and CVE-2016-2984)
EPSS
Percentile
5.1%
Summary
A fix is available for IBM Storwize V7000 Unified, for GPFS security vulnerabilities
Vulnerability Details
IBM General Parallel File System (GPFS) is a high-performance clustered file system. It is used in IBM Storwize V7000 Unified.
CVEID: CVE-2016-2985 DESCRIPTION: A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by setting environment variables processed by setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114001 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/CI:H/I:H/A:H)
**
CVEID**: CVE-2016-2984 DESCRIPTION: A security vulnerability has been identified in IBM Spectrum Scale and IBM GPFS that could allow a local attacker to execute commands as root by supplying command line parameters to setuid programs.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114000 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:H/PR:N/UI:N/S:U/CI:H/I:H/A:H)
Affected Products and Versions
IBM Storwize V7000 Unified
The product is affected when running code releases 1.5.. to 1.6..
Remediation/Fixes
IBM recommends that you fix these vulnerabilities by upgrading affected versions of IBM Storwize V7000 Unified to the following code level or higher:
1.5.2.5 and 1.6.2.0.
Latest Storwize V7000 Unified Software
Workarounds and Mitigations
Workaround(s): None
Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.
Related
