IBM Support

Security Bulletin: IBM Spectrum Scale and IBM GPFS are affected by a security vulnerability (CVE-2016-6115)

Security Bulletin


Summary

A security vulnerability has been identified in IBM Spectrum Scale (GPFS) that could allow a remote authenticated attacker to overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash. This vulnerability is only applicable if:
- file encryption is being used
- the key management infrastructure has been compromised

Vulnerability Details

CVEID: CVE-2016-6115
DESCRIPTION: IBM General Parallel File System is vulnerable to a buffer overflow. A remote authenticated attacker could overflow a buffer and execute arbitrary code on the system with root privileges or cause the server to crash.
CVSS Base Score: 6.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0

IBM Spectrum Scale V4.1.0.0 thru V4.1.1.10

IBM GPFS V4.1.0.0 thru V4.1.0.8

Note: This vulnerability is only applicable if:

  • file encryption is being used
  • the key management infrastructure has been compromised

Remediation/Fixes

For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, apply IBM Spectrum Scale V4.2.2.1 available from Fix Central at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.2&platform=All&function=all

For IBM Spectrum Scale V4.1.1.0 thru 4.1.1.10 and IBM GPFS V4.1.0.0 thru V4.1.0.8, apply V4.1.1.11 at http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

If you cannot apply the latest level of service, contact IBM Service for an efix:

  • For IBM Spectrum Scale V4.2.0.0 thru V4.2.2.0, reference APAR IV91327
  • For IBM GPFS V4.1.0 thru V4.1.0.8 and IBM Spectrum Scale V4.1.1.0 thru V4.1.1.10, reference APAR IV91328

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

3 January 2017: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Spectrum Scale

Software version: 4.1.1, 4.2.0, 4.2.1, 4.2.2

Operating system(s): AIX, Linux, Windows

Reference #: S1009639

Modified date: 01 August 2018