Vulnerability Name:

CVE-2017-1304 (CCN-125458)

Assigned:2016-11-30
Published:2017-06-20
Updated:2021-05-21
Summary:IBM has identified a vulnerability with IBM Spectrum Scale/GPFS utilized on the Elastic Storage Server (ESS)/GPFS Storage Server (GSS) during testing of an unsupported configuration, where users applications are running on an active ESS I/O server node and utilize direct I/O to perform a read or a write to a Spectrum Scale file. This vulnerability may result in the use of an incorrect memory address, leading to a Spectrum Scale/GPFS daemon failure with a Signal 11, and possibly leading to denial of service or undetected data corruption. IBM X-Force ID: 125458.
CVSS v3 Severity:6.2 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)
5.4 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): High
6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): High
CVSS v2 Severity:4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.2 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Complete
Vulnerability Type:CWE-119
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-1304

Source: CCN
Type: IBM Security Bulletin S1010230 (Elastic Storage Server)
The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1304)

Source: CONFIRM
Type: Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=ssg1S1010230

Source: BID
Type: Third Party Advisory, VDB Entry
99274

Source: CCN
Type: BID-99274
IBM Elastic Storage Server/GPFS Storage Server CVE-2017-1304 Local Denial of Service Vulnerability

Source: MISC
Type: VDB Entry, Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/125458

Source: XF
Type: UNKNOWN
ibm-gpfs-cve20171304-dos(125458)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:elastic_storage_server:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:5.0.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:elastic_storage_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_server:5.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm elastic storage server 2.0.0
    ibm elastic storage server 2.5.0
    ibm elastic storage server 2.5.5
    ibm elastic storage server 3.0.0
    ibm elastic storage server 3.0.5
    ibm elastic storage server 3.5.0
    ibm elastic storage server 3.5.6
    ibm elastic storage server 4.0.0
    ibm elastic storage server 4.0.6
    ibm elastic storage server 4.5.0
    ibm elastic storage server 4.6.0
    ibm elastic storage server 5.0.0
    ibm elastic storage server 5.0.1
    ibm elastic storage server 2.0
    ibm elastic storage server 2.5
    ibm elastic storage server 3.0
    ibm elastic storage server 3.5
    ibm elastic storage server 4.0
    ibm elastic storage server 4.5
    ibm elastic storage server 5.0