Posted Fri September 09, 2022 02:33 AM
My post for asked question from our customer [in Lao country]./ Tom, any comments with detail as i sent email to our customer.
Your case objective:
Due to the CVE-2016-2118: Samba Badlock Vulnerability and looking IBM support to suggestion of which SAMBA version [4.2.11 / 4.3.8 / 4.4.2 or later] could be fix for CVE-2016-2118 defect.
IBM local support would like response to you with the following answers.
- By searching in IBM Security Bulletin found.
The "Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified [CVE-2016-2118]"
in URL: //www.ibm.com/support/pages/security-bulletin-badlock-samba-vulnerability-issue-ibm-storwize-v7000-unified-cve-2016-2118
In above url, the "Affected Products and Versions"
IBM Storwize V7000 Unified
The product is affected when running code releases 1.5.0.0 to 1.6.0.1
- By searching in IBM support system found the case# TS009291788: Samab badblock was opened on 2022-05-09.
You can see the "Resolution Description: Samba is not supported.".
Samba is not supported means.
Samba is a product shipped as-is. In another way to say there is no any samba support from IBM
Please find full detail in screen capture.
- By searching in IBM support system found the old PMR [PMR# 43799,999,766: samba vulnerability issue] since 2016.
Here is the old PMR suggestion:
I have just checked the issue of SAMBA vulnerability as follows.
- CVE-2015-5370 //www.samba.org/samba/security/CVE-2015-5370.html
Subject: Multiple errors in DCE-RPC code.
- CVE-2016-2118 [a.k.a. BADLOCK] //www.samba.org/samba/security/CVE-2016-2118.html
Subject: SAMR and LSA man in the middle attacks possible.
How to fix:
To fix both CVEs, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as security releases to correct the defect.
- If you navigate the AIX Toolbox for Open Source Software website.
//www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha
There are having the samba version 4.14.12 [7.1] for RPM/SRPM packages to download.
- Conclusion.
Please consider to be upgrade samba to version 4.14.12 as available RPM/SRPM packages in IBM website.