IBM Support

Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2® pureScale™ (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705)

Security Bulletin


Summary

DB2 LUW is affected by a vulnerability in IBM® Spectrum Scale Version V4.2 and V4.1 that is used by DB2® pureScale™ Feature on AIX and Linux. IBM Spectrum Scale is previously known as General Parallel File System (GPFS).

Vulnerability Details

CVEID: CVE-2018-1431
DESCRIPTION: A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139240 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

All fix pack levels of IBM Db2 V10.5, and V11.1 editions on all Unix-type platforms are affected. Windows platforms are not affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V10.5 and V11.1, can contact IBM technical support to obtain the Spectrum Scale security package update. Before installing the Spectrum Scale security package, the DB2 level might need to be upgraded to the level that includes the supported Spectrum Scale level. Do not attempt to upgrade Spectrum Scale by any other means. The table below lists the DB2 releases and the Spectrum Scale security package to request from IBM technical support.

 

DB2 Release Obtain following from IBM technical support:
10.5 AIX 64-bit
U881200.gpfs.gskit.bff
10.5 Linux 64-bit, x86-64
gpfs.gskit-8.0.50-86.x86_64.rpm
10.5 Linux 64-bit, POWER™ little endian
gpfs.gskit-8.0.50-86.ppc64le.rpm
11.1 AIX 64-bit
U881200.gpfs.gskit.bff
11.1 Linux 64-bit, x86-64
gpfs.gskit-8.0.50-86.x86_64.rpm
11.1 Linux 64-bit, POWER™ little endian
gpfs.gskit-8.0.50-86.ppc64le.rpm

The Spectrum Scale security package upgrade instructions are available here: https://www-01.ibm.com/support/docview.wss?uid=ibm10731637

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

September 18, 2018: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: DB2 for Linux, UNIX and Windows

Software version: 10.5, 11.1

Operating system(s): AIX, Linux

Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Person

Reference #: 0731657

Modified date: 19 September 2018