Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2® pureScale™ (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705)

Security Bulletin

Summary

DB2 LUW is affected by a vulnerability in IBM® Spectrum Scale Version V4.2 and V4.1 that is used by DB2® pureScale™ Feature on AIX and Linux. IBM Spectrum Scale is previously known as General Parallel File System (GPFS).

Vulnerability Details

CVEID: CVE-2018-1431
DESCRIPTION: A vulnerability in GSKit affects IBM Spectrum Scale that could allow a local attacker to obtain control of the Spectrum Scale daemon and to access and modify files in the Spectrum Scale file system, and possibly to obtain administrator privileges on the node.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139240 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1447
DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2017-3732
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagating bug in the x86_64 Montgomery squaring procedure. An attacker could exploit this vulnerability to obtain information about the private key.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0705
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when parsing DSA private keys. An attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111140 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

All fix pack levels of IBM Db2 V10.5, and V11.1 editions on all Unix-type platforms are affected. Windows platforms are not affected.

Remediation/Fixes

Customers running any vulnerable fixpack level of an affected Program, V10.5 and V11.1, can contact IBM technical support to obtain the Spectrum Scale security package update. Before installing the Spectrum Scale security package, the DB2 level might need to be upgraded to the level that includes the supported Spectrum Scale level. Do not attempt to upgrade Spectrum Scale by any other means. The table below lists the DB2 releases and the Spectrum Scale security package to request from IBM technical support.

DB2 Release	Obtain following from IBM technical support:
10.5 AIX 64-bit	U881200.gpfs.gskit.bff
10.5 Linux 64-bit, x86-64	gpfs.gskit-8.0.50-86.x86_64.rpm
10.5 Linux 64-bit, POWER™ little endian	gpfs.gskit-8.0.50-86.ppc64le.rpm
11.1 AIX 64-bit	U881200.gpfs.gskit.bff
11.1 Linux 64-bit, x86-64	gpfs.gskit-8.0.50-86.x86_64.rpm
11.1 Linux 64-bit, POWER™ little endian	gpfs.gskit-8.0.50-86.ppc64le.rpm

The Spectrum Scale security package upgrade instructions are available here: https://www-01.ibm.com/support/docview.wss?uid=ibm10731637

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

September 18, 2018: Original version published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"10.5, 11.1","Edition":"Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Express, Express-C, Personal, Workgroup Server","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Tips

Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2® pureScale™ (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705)