On 30/07/2021 15:11, Jaime Pinto wrote:
Hey Jonathan
3.10.0-1160.31.1 seems to be one of the last kernel releases prior to
the CVE-2021-33909 exploit.
It is the release immediately prior to 3.10.0-1160.31.2.
To be fair I didn't consider it important to install 3.10.0-1160.31.2 on
our TSM server because the only people able to log onto it can all get
root anyway. So a local privilege escalation bug is like meh to begin
with and the replacement hardware for migrating to a fully patched RHEL
8.4 server was ready and waiting to go in the rack.
Now on the nodes in the HPC cluster any privilege escalation bug is an
issue as the unwashed masses have access to that.
3.10.0-1160.36.2.el7.x86_64 seems to be the first on the Redhat repo
that fixes the exploit, but it's not working for our combination of
TSM/DB2 versions:
* TSM 8.1.8
* DB2 v11.1.4.4
Well yikes you need to upgrade your TSM server ASAP as 8.1.8 has a
number of security holes. My TSM is my get of jail card should we be hit
by ransomware, which seems to the most likely "disaster" these days, so
patch, patch, patch is my moto.
Besides I am not allowed to run a version that is riddled with security
issues. Being public sector and funded by the Scottish government we
have to be CyberEssentials compliant :-) Basically you are supposed to
apply security patches within 10 days of availability.
I'll just keep one eye on the repo for the next kernel available and try
it again. Until then I'll stick with 3.10.0-1062.18.1
Which has a whole slew of bugs too. See above I don't get to run such
old versions :-)
On the HPSS side 3.10.0-1160.36.2.el7.x86_64 worked fine with DB2 11.5,
but not with 10.5
Only DB2 usage I have is on our TSM server.
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
