Security Bulletin
Summary
Weak file permissions may exist on several files after specific debug settings are enabled in IBM Spectrum LSF in a Linux or Unix environment. This has the potential of privilege escalation by an attacker. CVE-2020-4278 is created for this.
Vulnerability Details
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Platform LSF | 9.1 |
| IBM Spectrum LSF | 10.1 |
| IBM Spectrum LSF Suites | 10.2 |
| IBM Spectrum Computing Suite for High Performance Analytics | 10.2 |
Remediation/Fixes
The remediation will completely close the exploit. However, there will be the following limitations:
- Privileged ports cannot be used for LSF daemons. By default LSF does not use privileged ports.
- Cannot configure /etc/lsf.sudoers to enable non-root to start LSF daemons.
- Cannot configure /etc/ego.sudoers to enable non-root to start EGO.
- Cannot enable LSB_UTMP=Y in lsf.conf. By default it is not enabled.
No other functions are impacted and it has no impact on normal use of the cluster.
These limitations will be removed by a fix in upcoming LSF10.1.0.10.
Workarounds and Mitigations
See Above
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerability was reported to IBM by Winston S.
Change History
21 Feb 2020: Initial Publication
26 Feb 2020: Update 'Workarounds and Mitigations'
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
25 February 2020
UID
ibm13357549