Security Bulletin: A vulnerable issue affects IBM Spectrum LSF Suite, IBM Spectrum LSF and IBM Spectrum LSF Suite Community Edition

Summary

There is a vulnerable issue in LSF that an attacker can exploit an authentication weakness in some messages transferred between some binaries through network, to run commands with unauthorized permission. LSF have addressed this security issue (CVE-2020-4983).

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

a) With LSF 10 FP2 or above, by following the fix in <https://www.ibm.com/support/pages/node/630961&gt; to set LSF_EAUTH_KEY in an existing cluster, this security issue can be resolved.

b) For a new installation/upgrade, please see following table.

Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—

Spectrum LSF Suite

|

10.2

|

None

|

Download IBM Spectrum LSF Suite 10.2 Fix Pack 12 from <https://www.ibm.com/support/fixcentral&gt;, and apply the Fix Pack.

Spectrum LSF

|

10.1

|

None

|

Download IBM Spectrum LSF 10.1 Fix Pack 12, lsf-10.1.0.12-spk-2021-Jun-build600488, from <https://www.ibm.com/support/fixcentral&gt;, and apply the Fix Pack.

Spectrum LSF Suite Community Edition

|

10.2

|

None

|

Download IBM Spectrum LSF CE 10.2.0.12 and deploy the cluster.

https://epwt-www.mybluemix.net/software/support/trial/cst/programwebsite.wss?siteId=680&h=null&p=null

Workarounds and Mitigations

None