Vulnerability Note VU#640827

IBM AIX Parallel Systems Support Program (PSSP) contains vulnerability in File Collections subsystem allowing arbitrary access to sensitive configuration files

Original Release date: 01 Apr 2002 | Last revised: 23 Feb 2004

Overview

IBM AIX Parallel Systems Support Programs (PSSP) contains a vulnerability allowing unauthorized access to files in valid file collections.

Description

IBM PSSP software is used to provide a central point of management control for a cluster of RS/6000 SP nodes and IBM pSeries and IBM RS/6000 servers running AIX.

Impact

Intruders may be able to gain access to files that are included in a valid file collection on the SP system's control workstation, including AIX system configuration and security database files.

Solution

Obtain and apply the fix on all SP system control workstations and nodes as soon as possible. See the instructions below for obtaining the appropriate PTF(s) containing the fix for each release of PSSP.

Follow the instructions in the appropriate README file to enable secure file collections.

PSSP 3.1.1 ssp.sysman.README.IY20699
PSSP 3.2 ssp.sysman.README.IY28063
PSSP 3.4 ssp.sysman.README.IY28065

IMPORTANT: Simply applying the PTF is not sufficient to correct the File Collections security vulnerability. The process to enable Secure File Collections, as documented in the README file, must be completed in order to correct the vulnerability.

Solution:

There are APARs created for all supported PSSP releases. The PTFs addressing those APARs are now available in the indicated PTF Set.

PSSP Rls     APAR     PTF #    PTF Set #

   PSSP 3.1.1:  IY20699  U482380    24
  PSSP 3.2:    IY28063  U482385    18
  PSSP 3.4:    IY28065  U482395     6


The fix can be obtained by ordering the specific PTF for your release from 1-800-CALLAIX or your country support center. The fix can also be downloaded by selecting the appropriate APAR number from IBM@server Support web page
at URL:


http://techsupport.services.ibm.com/server/fixes

A workaround to the vulnerability is to disable the File Collections subsystem, until such time that the fix can be applied or the software upgraded to a supported release.

To disable File Collections, run the following command under the root userid on the SP system's control workstation:

spsitenv filecoll_config=false

To verify that File Collections has been disabled, run the following command:

splstdata -e | grep filecoll_config

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
IBMAffected-28 Mar 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Apr 2002
  • Date First Published: 01 Apr 2002
  • Date Last Updated: 23 Feb 2004
  • Severity Metric: 10.13
  • Document Revision: 4

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.