=============================================================================== Readme file for: IBM Platform LSF for SAS Product/Component Release: 8.0.1 SAS Update name: Fix 453131 Fix ID: LSF-8.0.1-build153131 APAR#: P102215 Publication date: 6 Sep, 2017 Last modified: 6 Sep, 2017 Abstract The fix enhances LSF security of authorizing user credentials for the data stream between LSF clients and servers. It addresses CVE-2017-1205. Description LSF uses an external authentication framework to secure user credentials for the data stream between LSF clients and servers. By default, LSF provides an eauth.exe executable file, which takes a static authorization key to encrypt the data. As part of the installation process, changing the default key is important to prevent unauthorized access. However, many sites do not change this default key and are therefore vulnerable to CVE-2017-1205. This defect was present and undetected for over ten years, even during previous third party security reviews. There are no reported instances of anyone having exploited this defect to attack LSF security. This fix addresses CVE-2017-1205 by enhancing the default eauth.exe executable file to automatically generate site-specific keys, and is available for all supported versions of LSF on all supported operating systems. Sites that use LSF Kerberos authentication are not affected by this issue, but installing this fix addresses potential vulnerabilities if LSF Kerberos authentication is unavailable. Default eauth.exe executable The new default eauth.exe executable file is enhanced to automatically generate a site-specific key by using 128-bit AES encryption. The new eauth.exe executable file is named as eauth.cve.exe in the fix. It can be directly replaced the default eauth.exe executable file for the authentication between LSF clients and servers in the same LSF cluster. You must replace all binary files to fully address CVE-2017-1205. To ensure that you correctly enable the enhancements in your LSF clusters, check the following: 1) The new eauth.exe executable file rejects LSF requests from the host with the UTC time offset of more than 5 minutes compared with the server host. 2) You must install the new eauth.exe executable file to all LSF hosts in the LSF cluster to work together. Otherwise, LSF commands that run on the hosts without the new eauth.exe executable file will encounter authentication problems. IMPORTANT: If you are using IBM Platform RTM, you must also patch IBM Platform RTM to work with the newly patched LSF. The eauth fix for IBM Platform Process Manager is not mandatory and fixes a separate issue in IBM Platform Process Manager. =============================================================================== ========================= CONTENTS ========================= 1. Abbreviations 2. About IBM Platform LSF 3. Supported operating systems 4. Products or components affected 5. Installation and Configuration 6. Copyright ========================= 1. Abbreviations ========================= N/A ========================= 2. About IBM Platform LSF ========================= The IBM Platform LSF ("LSF", short for load sharing facility) software is industry-leading enterprise-class software that distributes work across existing heterogeneous IT resources creating a shared, scalable, and fault-tolerant infrastructure, delivering faster, more reliable workload performance while reducing cost. LSF balances load and allocates resources, while providing access to those resources. ========================= 3. Supported operating systems ========================= Windows 2008/2008 R2/7/8/2012/2012 R2 ========================= 4. Products or components affected ========================= LSF/eauth.exe, LSF/mbatchd.exe, LSF/sbatchd.exe, LSF/res.exe, LSF/badmin.exe, LSF/lsadmin.exe ========================= 5. Installation and Configuration ========================= 5.1 Log on to the LSF master host as LSF cluster administrator, and shut down the LSF cluster with the following commands: badmin hshutdown all lsadmin resshutdown all lsadmin limshutdown 5.2 Back up the following files in your existing installation: - %LSF_SERVERDIR%\eauth.exe - %LSF_SERVERDIR%\mbatchd.exe - %LSF_SERVERDIR%\sbatchd.exe - %LSF_SERVERDIR%\res.exe - %LSF_SERVERDIR%\..\bin\badmin.exe - %LSF_SERVERDIR%\..\bin\lsadmin.exe 5.3 Copy and replace the files from the Fix directory to your current installation. - Copy eauth.cve.exe in this Fix to %LSF_SERVERDIR%\eauth.exe - Copy mbatchd.exe in this Fix to %LSF_SERVERDIR%\mbatchd.exe - Copy sbatchd.exe in this Fix to %LSF_SERVERDIR%\sbatchd.exe - Copy res.exe in this Fix to %LSF_SERVERDIR%\res.exe - Copy badmin.exe in this Fix to %LSF_SERVERDIR%\..\bin\badmin.exe - Copy lsadmin.exe in this Fix to %LSF_SERVERDIR%\..\bin\lsadmin.exe 5.4 Log on to the LSF master host as LSF cluster administrator, and start up the LSF cluster with the following commands: lsadmin limstartup lsadmin resstartup all badmin hstartup all ========================= 6. Copyright ========================= ©Copyright IBM Corporation 2017 U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM®, the IBM logo and ibm.com®, are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.