There is a vulnerable issue in LSF that an attacker can exploit an authentication weakness in some messages transferred between some binaries through network, to run commands with unauthorized permission. LSF have addressed this security issue (CVE-2020-4983).
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum LSF Suite | 10.2 |
IBM Spectrum LSF | 10.1 |
IBM Spectrum LSF Suite Community Edition | 10.2 |
a) With LSF 10 FP2 or above, by following the fix in <https://www.ibm.com/support/pages/node/630961> to set LSF_EAUTH_KEY in an existing cluster, this security issue can be resolved.
b) For a new installation/upgrade, please see following table.
Product
|
VRMF
|
APAR
|
Remediation/First Fix
—|—|—|—
Spectrum LSF Suite
|
10.2
|
None
|
Download IBM Spectrum LSF Suite 10.2 Fix Pack 12 from <https://www.ibm.com/support/fixcentral>, and apply the Fix Pack.
Spectrum LSF
|
10.1
|
None
|
Download IBM Spectrum LSF 10.1 Fix Pack 12, lsf-10.1.0.12-spk-2021-Jun-build600488, from <https://www.ibm.com/support/fixcentral>, and apply the Fix Pack.
Spectrum LSF Suite Community Edition
|
10.2
|
None
|
Download IBM Spectrum LSF CE 10.2.0.12 and deploy the cluster.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum lsf suite for workgroups | eq | 10.2 | |
ibm spectrum lsf | eq | 10.1 |