Title: EGI SVG Advisory [TLP:WHITE] 'CRITICAL' risk vulnerability in IBM's
GPFS CVE-2016-0392 [EGI-SVG-CVE-2016-0392]
Date: 2016-06-01
Updated:
Affected Software and Risk
==========================
CRITICAL risk vulnerability concerning IBMs General Parallel File System (GPFS)
Package : GPFS (IBM)
CVE ID : CVE-2016-0392
As stated in [R 1] a security vulnerability has been identified in all levels
of IBM Spectrum Scale and IBM GPFS that could allow a local attacker to inject
commands into setuid file parameters and execute commands as root.
Actions Required/Recommended
============================
Sites running IBMs General Parallel File System (GPFS) MUST be patched, apply
mitigation below, or have software removed by 2016-06-09 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.
It may not be possible for EGI CSIRT to detect vulnerable instances, but it is
important that sites using this software take action if they have not done so
already.
Affected software details.
==========================
See [R 1]
More information
================
Several sites have been identified on the EGI infrastructure which deploy IBM's
General Parallel File System (GPFS) in various circumstances, hence EGI SVG is
alerting all sites to this vulnerability.
See [R 1]
Mitigation
==========
From [R 1]
Until the fixes can be applied, a workaround is to remove the setuid from the
files in the /usr/lpp/mmfs/bin directory.
Determine the set of files with setuid bit by running
ls -l /usr/lpp/mmfs/bin | grep r-s
Then reset the setuid bit for each such file by issuing this command on each
file
chmod u-s file
Once the workaround is applied, a number of commands may no longer work.
Component installation information
==================================
See IBM's security bulletin [R 1]
TLP and URL
===========
** WHITE information - Unlimited distribution -
see https://go.egi.eu/tlp for distribution restrictions **
URL: https://advisories.egi.eu/Advisory-SVG-CVE-2016-0392
Minor updates may be made without re-distribution to the sites
Credit
======
SVG was alerted to this vulnerability by Christopher Walker from QMUL
References
==========
[R 1] http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005781
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2016-11185]
2016-05-31 SVG alerted to this publicly disclosed issue by Christopher Walker
from QMUL
2016-05-31 Acknowledgement from the EGI SVG to the reporter
2016-06-01 EGI SVG Risk Assessment completed
2016-06-01 Advisory/Alert sent to sites
2016-06-08 Advisory on the wiki