search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

IBM AIX Parallel Systems Support Program (PSSP) contains vulnerability in File Collections subsystem allowing arbitrary access to sensitive configuration files

Vulnerability Note VU#640827

Original Release Date: 2002-04-02 | Last Revised: 2004-02-23

Overview

IBM AIX Parallel Systems Support Programs (PSSP) contains a vulnerability allowing unauthorized access to files in valid file collections.

Description

IBM PSSP software is used to provide a central point of management control for a cluster of RS/6000 SP nodes and IBM pSeries and IBM RS/6000 servers running AIX.

Impact

Intruders may be able to gain access to files that are included in a valid file collection on the SP system's control workstation, including AIX system configuration and security database files.

Solution

Obtain and apply the fix on all SP system control workstations and nodes as soon as possible. See the instructions below for obtaining the appropriate PTF(s) containing the fix for each release of PSSP.

Follow the instructions in the appropriate README file to enable secure file collections.

PSSP 3.1.1 ssp.sysman.README.IY20699
PSSP 3.2 ssp.sysman.README.IY28063
PSSP 3.4 ssp.sysman.README.IY28065

IMPORTANT: Simply applying the PTF is not sufficient to correct the File Collections security vulnerability. The process to enable Secure File Collections, as documented in the README file, must be completed in order to correct the vulnerability.

Solution:

There are APARs created for all supported PSSP releases. The PTFs addressing those APARs are now available in the indicated PTF Set.

PSSP Rls     APAR     PTF #    PTF Set #

   PSSP 3.1.1:  IY20699  U482380    24
  PSSP 3.2:    IY28063  U482385    18
  PSSP 3.4:    IY28065  U482395     6

The fix can be obtained by ordering the specific PTF for your release from 1-800-CALLAIX or your country support center. The fix can also be downloaded by selecting the appropriate APAR number from IBM@server Support web page
at URL:


http://techsupport.services.ibm.com/server/fixes

A workaround to the vulnerability is to disable the File Collections subsystem, until such time that the fix can be applied or the software upgraded to a supported release.

To disable File Collections, run the following command under the root userid on the SP system's control workstation:

spsitenv filecoll_config=false

To verify that File Collections has been disabled, run the following command:

splstdata -e | grep filecoll_config

Vendor Information

640827
 
Expand all

IBM Affected

Updated:  March 28, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://techsupport.services.ibm.com/server/fixes

Acknowledgements

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: None
Severity Metric: 10.13
Date Public: 2002-04-01
Date First Published: 2002-04-02
Date Last Updated: 2004-02-23 22:40 UTC
Document Revision: 4

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis