Security Bulletin: IBM Spectrum Scale (GPFS) Hadoop connector is affected by a security vulnerability (CVE-2015-7430)

Security Bulletin


Summary

A security vulnerability has been identified in the IBM Spectrum Scale (GPFS) Hadoop connector which could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system (CVE-2015-7430)

Vulnerability Details

CVEID: CVE-2015-7430
DESCRIPTION:
IBM General Parallel File System Hadoop connector could allow an unprivileged user the ability to read, write, modify, or delete any data in a GPFS file system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107859 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Scale (GPFS) Hadoop connector 1.1.1, 2.4, 2.5, and 2.7.0-0 thru 2.7.0-2

Remediation/Fixes

Users of the IBM Spectrum Scale (GPFS) Hadoop connector should upgrade to 2.7.0-3 available at

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Hadoop%20Connector%20Download%20%26%20Info


Uninstall the old connector and upgrade to 2.7.0-3. To upgrade the connector, see chapter 15 of the Deploying a Big Data Solution using IBM Spectrum Scale technical white paper at https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Big%20Data%20Best%20practices.

After upgrading to 2.7.0.3:

If you have configured one group as gpfs.supergroup (e.g. gpfs.supergroup="hadoop"):

1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.

2. Issue the chown <anyone-super-user>:<super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector

chown hdfs:hadoop /var/mmfs/bi

3. Issue the chmod command to limit access to the hadoop super group users

chmod 0660 /var/mmfs/bi

4. Restart the connector by issuing the commands on all nodes:

mmhadoopctl connector stop
mmhadoopctl connector start



If you have configured more than one group as gpfs.supergroup (e.g. gpfs.supergroup="bigsql,hadoop"):

1. Create the directory /var/mmfs/bi on all nodes if the directory is not yet present.

2. Issue the chown <anyone-super-user>:<anyone-super-group> /var/mmfs/bi command on all nodes.
If the group hadoop is configured as gpfs.supergroup in connector:

chown hdfs:hadoop /var/mmfs/bi

3. Issue the chmod command to limit access to the hadoop super group users:

chmod 0660 /var/mmfs/bi

4. Restart the connector by issuing the commands on all nodes:

mmhadoopctl connector stop
mmhadoopctl connector start

5. After you have restarted the connector daemon, for each super_group_i, issue:

setfacl -m g:super_group_i:rw /var/run/ibm_bigpfs_gcd

For the GPFS Hadoop Connector 1.1.1, IBM recommends upgrading both your level of Hadoop and level of IBM Spectrun Scale (GPFS) Hadoop Connector code to current levels. See https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/General%20Parallel%20File%20System%20%28GPFS%29/page/Hadoop%20Connector%20Download%20%26%20Info

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information


More support for:

General Parallel File System

Software version:

3.5.0, 4.1.0

Operating system(s):

Linux

Reference #:

T1022979

Modified date:

2015-12-02

Translate my page

Content navigation