APAR status
Closed as program error.
Error description
The application allows a regular user to inject OS commands in "SMB Shares" comments field, the injected command is executed on the underlying operating system that can lead to whole system compromise.
Local fix
Problem summary
The application allows a regular user to inject OS commands in "SMB Shares" comments field, the injected command is executed on the underlying operating system that can lead to whole system compromise.
Problem conclusion
On SMB CLI level, it should be prevented that commands can be injected via the comment field argument of the mmsmb command As a secondary measure for better usability, the GUI dialog will prevent text strings with a single hyphen.
Temporary fix
Comments
APAR Information
APAR number
IJ20901
Reported component name
SPEC SCALE STD
Reported component ID
5737F33AP
Reported release
504
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-11-11
Closed date
2019-11-11
Last modified date
2019-11-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SPEC SCALE STD
Fixed component ID
5737F33AP
Applicable component levels
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"STXKQY","label":"IBM Spectrum Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"504","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]
Document Information
Modified date:
11 November 2019