My post for asked question from our customer (in Lao country)./
Tom, any comments with detail as i sent email to our customer.
Your case objective:
Due to the CVE-2016-2118: Samba Badlock Vulnerability and looking IBM support to suggestion of which SAMBA version (4.2.11 / 4.3.8 / 4.4.2 or later) could be fix for CVE-2016-2118 defect.
IBM local support would like response to you with the following answers.
- By searching in IBM Security Bulletin found.
The "Security Bulletin: Badlock Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2118)"
in URL: https://www.ibm.com/support/pages/security-bulletin-badlock-samba-vulnerability-issue-ibm-storwize-v7000-unified-cve-2016-2118
In above url, the "Affected Products and Versions"
IBM Storwize V7000 Unified
The product is affected when running code releases 1.5.0.0 to 1.6.0.1
- By searching in IBM support system found the case# TS009291788: Samab badblock was opened on 2022-05-09.
You can see the "Resolution Description: Samba is not supported.".
Samba is not supported means.
Samba is a product shipped as-is. In another way to say there is no any samba support from IBM
Please find full detail in screen capture.
- By searching in IBM support system found the old PMR (PMR# 43799,999,766: samba vulnerability issue) since 2016.
Here is the old PMR suggestion:
I have just checked the issue of SAMBA vulnerability as follows.
- CVE-2015-5370 https://www.samba.org/samba/security/CVE-2015-5370.html
Subject: Multiple errors in DCE-RPC code.
- CVE-2016-2118 (a.k.a. BADLOCK) https://www.samba.org/samba/security/CVE-2016-2118.html
Subject: SAMR and LSA man in the middle attacks possible.
How to fix:
To fix both CVEs, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as security releases to correct the defect.
- If you navigate the AIX Toolbox for Open Source Software website.
https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha
There are having the samba version 4.14.12 (7.1) for RPM/SRPM packages to download.
- Conclusion.
Please consider to be upgrade samba to version 4.14.12 as available RPM/SRPM packages in IBM website.
------------------------------
CHARIN KUMJUDPAI
------------------------------
Original Message:
Sent: Thu September 08, 2022 10:45 AM
From: Tom McGivern
Subject: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.
Really? You're running base 7.1 code from 2011, and you're concerned about Samba?
there are so many *requisites you have a mess on your hands..
Original Message:
Sent: 9/8/2022 7:40:00 AM
From: CHARIN KUMJUDPAI
Subject: CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.
CVE-2016-2118: Samba Badlock Vulnerability, which samba version to be upgrade to fix the CVE-2016-2118 defect.
Currently running Samba for AIX 71. (7100-00-03-1115).
SAMBA version:
samba.base 3.3.12.0 COMMITTED Samba for AIX
samba.license 3.3.12.0 COMMITTED Samba for AIX
samba.man.en_US 3.3.12.0 COMMITTED Samba for AIX
samba.base 3.3.12.0 COMMITTED Samba for AIX
Which of samba version to be an upgrade to help to fix the CVE-2016-2118 defect?
And i also navigate url: https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/samba/ and https://www.ibm.com/support/pages/aix-toolbox-open-source-software-downloads-alpha
There are having samba-4.3.x-samba-4.10.x and 4.14.12 (7.1)
Please advise.
Best regards,
Charin Kumjudpai.
------------------------------
CHARIN KUMJUDPAI
------------------------------