From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members


Title:       EGI SVG Advisory [TLP:WHITE] 'CRITICAL' risk vulnerability in IBM's GPFS CVE-2016-0392  

Date:        2016-06-01 

Affected Software and Risk

CRITICAL risk vulnerability concerning IBMs General Parallel File System (GPFS) 

Package : GPFS (IBM) 
CVE ID  : CVE-2016-0392 

As stated in [R 1] a security vulnerability has been identified in all levels of IBM Spectrum Scale and 
IBM GPFS that could allow a local attacker to inject commands into setuid file parameters and execute 
commands as root.

Actions Required/Recommended

Sites running IBMs General Parallel File System (GPFS) MUST be patched, apply mitigation below, or have 
software removed by 2016-06-09  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 

It may not be possible for EGI CSIRT to detect vulnerable instances, but it is important that sites using 
this software take action if they have not done so already.

Affected software details.

See [R 1]

More information

Several sites have been identified on the EGI infrastructure which deploy IBM's General Parallel File System (GPFS) 
in various circumstances, hence EGI SVG is alerting all sites to this vulnerability.

See [R 1]


From [R 1] 

Until the fixes can be applied, a workaround is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. 
Determine the set of files with setuid bit by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Then reset the setuid bit for each such file by issuing this command on each file

chmod u-s file

Once the workaround is applied, a number of commands may no longer work. 

Component installation information

See IBM's security bulletin [R 1]


** WHITE information - Unlimited distribution - 
see for distribution restrictions **                     


Minor updates may be made without re-distribution to the sites


SVG was alerted to this vulnerability by Christopher Walker from QMUL


[R 1]


Comments or questions should be sent to svg-rat  at

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at
the EGI Software Vulnerability Group will take a look.  

Yyyy-mm-dd  [EGI-SVG-2016-11185] 

2016-05-31 SVG alerted to this publicly disclosed issue by Christopher Walker from QMUL
2016-05-31 Acknowledgement from the EGI SVG to the reporter
2016-06-01 EGI SVG Risk Assessment completed
2016-06-01 Advisory/Alert sent to sites
2016-06-08 Advisory on the wiki

Personal tools