Stephan,
Security bulletins need to go through an internal process, including legal review. In addition, we are normally required to ensure the fix is available for all releases before the security bulletin can be published. Because of that, we normally don't list details for security fixes in either the readmes or APARs, since the information can only be disclosed in the bulletin itself.
----
The bulletin below has:
If you cannot apply the latest level of service, contact IBM Service for an efix:
- For IBM Spectrum Scale V5.0.0.0 through V5.0.4.1, reference APAR IJ23438
- For IBM Spectrum Scale V4.2.0.0 through V4.2.3.20, reference APAR IJ23426
"V5.0.0.0 through V5.0.4.1" should have been "V5.0.0.0 through V5.0.4.2". (I have asked the text to be corrected)
Felipe
----
Felipe Knop [email protected]
GPFS Development and Security
IBM Systems
IBM Building 008
2455 South Rd, Poughkeepsie, NY 12601
(845) 433-9314 T/L 293-9314
Felipe Knop [email protected]
GPFS Development and Security
IBM Systems
IBM Building 008
2455 South Rd, Poughkeepsie, NY 12601
(845) 433-9314 T/L 293-9314
----- Original message -----
From: Stephan Graf <[email protected]>
Sent by: [email protected]
To: <[email protected]>
Cc:
Subject: [EXTERNAL] Re: [gpfsug-discuss] GPFS vulnerability with possible root exploit on versions prior to 5.0.4.3 (and 4.2.3.21)
Date: Wed, Apr 22, 2020 5:04 AM
Hi
I took a lookat the "Readme and Release notes for release 5.0.4.3 IBM
Spectrum Scale 5.0.4.3
Spectrum_Scale_Data_Management-5.0.4.3-x86_64-Linux Readme"
But I did not find the entry which mentioned the "For IBM Spectrum Scale
V5.0.0.0 through V5.0.4.1, reference APAR IJ23438" APAR number which is
mentioned on the "Security Bulletin: A vulnerability has been identified
in IBM Spectrum Scale where an unprivileged user could execute commands
as root ( CVE-2020-4273)" page.
shouldn't it be mentioned there?
Stephan
Am 22.04.2020 um 10:19 schrieb Jaime Pinto:
> In case you missed (the forum has been pretty quiet about this one),
> CVE-2020-4273 had an update yesterday:
>
> https://www.ibm.com/support/pages/node/6151701?myns=s033&mynp=OCSTXKQY&mync=E&cm_sp=s033-_-OCSTXKQY-_-E
>
>
> If you can't do the upgrade now, at least apply the mitigation to the
> client nodes generally exposed to unprivileged users:
>
> Check the setuid bit:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l
> /usr/lpp/mmfs/bin/"$9)}')
>
> Apply the mitigation:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("chmod u-s
> /usr/lpp/mmfs/bin/"$9)}'
>
> Verification:
> ls -l /usr/lpp/mmfs/bin | grep r-s | awk '{system("ls -l
> /usr/lpp/mmfs/bin/"$9)}')
>
> All the best
> Jaime
>
> .
> .
> . ************************************
> TELL US ABOUT YOUR SUCCESS STORIES
> http://www.scinethpc.ca/testimonials
> ************************************
> ---
> Jaime Pinto - Storage Analyst
> SciNet HPC Consortium - Compute/Calcul Canada
> www.scinet.utoronto.ca - www.computecanada.ca
> University of Toronto
> 661 University Ave. (MaRS), Suite 1140
> Toronto, ON, M5G1M1
> P: 416-978-2755
> C: 416-505-1477
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
