SVG:Advisory-SVG-CVE-2016-0392
Jump to navigation
Jump to search
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-0392
Title: EGI SVG Advisory [TLP:WHITE] 'CRITICAL' risk vulnerability in IBM's GPFS CVE-2016-0392 [EGI-SVG-CVE-2016-0392] Date: 2016-06-01 Updated: Affected Software and Risk ========================== CRITICAL risk vulnerability concerning IBMs General Parallel File System (GPFS) Package : GPFS (IBM) CVE ID : CVE-2016-0392 As stated in [R 1] a security vulnerability has been identified in all levels of IBM Spectrum Scale and IBM GPFS that could allow a local attacker to inject commands into setuid file parameters and execute commands as root. Actions Required/Recommended ============================ Sites running IBMs General Parallel File System (GPFS) MUST be patched, apply mitigation below, or have software removed by 2016-06-09 00:00 UTC Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. It may not be possible for EGI CSIRT to detect vulnerable instances, but it is important that sites using this software take action if they have not done so already. Affected software details. ========================== See [R 1] More information ================ Several sites have been identified on the EGI infrastructure which deploy IBM's General Parallel File System (GPFS) in various circumstances, hence EGI SVG is alerting all sites to this vulnerability. See [R 1] Mitigation ========== From [R 1] Until the fixes can be applied, a workaround is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. Determine the set of files with setuid bit by running ls -l /usr/lpp/mmfs/bin | grep r-s Then reset the setuid bit for each such file by issuing this command on each file chmod u-s file Once the workaround is applied, a number of commands may no longer work. Component installation information ================================== See IBM's security bulletin [R 1] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-0392 Minor updates may be made without re-distribution to the sites Credit ====== SVG was alerted to this vulnerability by Christopher Walker from QMUL References ========== [R 1] http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005781 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-2016-11185] 2016-05-31 SVG alerted to this publicly disclosed issue by Christopher Walker from QMUL 2016-05-31 Acknowledgement from the EGI SVG to the reporter 2016-06-01 EGI SVG Risk Assessment completed 2016-06-01 Advisory/Alert sent to sites 2016-06-08 Advisory on the wiki