IBM Support

Security Bulletin: IBM Spectrum Scale and IBM GPFS are affected by a security vulnerability (CVE-2016-6115)

Security Bulletin


Summary

A security vulnerability has been identified in IBM Spectrum Scale (GPFS) that could allow a remote authenticated attacker to overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash. This vulnerability is only applicable if:
- file encryption is being used
- the key management infrastructure has been compromised

Vulnerability Details

CVEID: CVE-2016-6115
DESCRIPTION: IBM General Parallel File System is vulnerable to a buffer overflow. A remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash.
CVSS Base Score: 6.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0

IBM Spectrum Scale V4.1.0.0 thru V4.1.1.10

IBM GPFS V4.1.0.0 thru V4.1.0.8

Note: This vulnerability is only applicable if:

  • file encryption is being used
  • the key management infrastructure has been compromised

Remediation/Fixes

For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, apply IBM Spectrum Scale V4.2.2.1 available from Fix Central at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.2&platform=All&function=all

For IBM Spectrum Scale V4.1.1.0 thru 4.1.1.10 and IBM GPFS V4.1.0.0 thru V4.1.0.8, apply V4.1.1.11 at http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

If you cannot apply the latest level of service, contact IBM Service for an efix:

  • For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, reference APAR IV91327
  • For IBM GPFS V4.1.0 thru V4.1.0.8 and IBM Spectrum Scale V4.1.1.0 thru V4.1.1.10, reference APAR IV91328

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

3 January 2017: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"4.1.1;4.2.0;4.2.1;4.2.2","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
01 August 2018

UID

ssg1S1009639

Page Feedback