SVG:Advisory-SVG-CVE-2016-0392

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-CVE-2016-0392



Title:       EGI SVG Advisory [TLP:WHITE] 'CRITICAL' risk vulnerability in IBM's GPFS CVE-2016-0392  
[EGI-SVG-CVE-2016-0392]  

Date:        2016-06-01 
Updated:     


Affected Software and Risk
==========================

CRITICAL risk vulnerability concerning IBMs General Parallel File System (GPFS) 

Package : GPFS (IBM) 
CVE ID  : CVE-2016-0392 

As stated in [R 1] a security vulnerability has been identified in all levels of IBM Spectrum Scale and 
IBM GPFS that could allow a local attacker to inject commands into setuid file parameters and execute 
commands as root.

Actions Required/Recommended
============================

Sites running IBMs General Parallel File System (GPFS) MUST be patched, apply mitigation below, or have 
software removed by 2016-06-09  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 

It may not be possible for EGI CSIRT to detect vulnerable instances, but it is important that sites using 
this software take action if they have not done so already.

Affected software details.
==========================

See [R 1]

More information
================

Several sites have been identified on the EGI infrastructure which deploy IBM's General Parallel File System (GPFS) 
in various circumstances, hence EGI SVG is alerting all sites to this vulnerability.

See [R 1]

Mitigation
==========

From [R 1] 

Until the fixes can be applied, a workaround is to remove the setuid from the files in the /usr/lpp/mmfs/bin directory. 
Determine the set of files with setuid bit by running

ls -l /usr/lpp/mmfs/bin | grep r-s

Then reset the setuid bit for each such file by issuing this command on each file

chmod u-s file

Once the workaround is applied, a number of commands may no longer work. 


Component installation information
==================================

See IBM's security bulletin [R 1]

TLP and URL
===========

** WHITE information - Unlimited distribution - 
see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **                     

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-0392    

Minor updates may be made without re-distribution to the sites

Credit
======

SVG was alerted to this vulnerability by Christopher Walker from QMUL

References
==========

[R 1] http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005781

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look.  

Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2016-11185] 

2016-05-31 SVG alerted to this publicly disclosed issue by Christopher Walker from QMUL
2016-05-31 Acknowledgement from the EGI SVG to the reporter
2016-06-01 EGI SVG Risk Assessment completed
2016-06-01 Advisory/Alert sent to sites
2016-06-08 Advisory on the wiki

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export