COMMAND

    sdrd

SYSTEMS AFFECTED

    AIX SP2

PROBLEM

    Following is based on CIAC advisory.  CIAC has been informed of  a
    security vulnerability with "sdrd"  daemon running on the  IBM SP2
    platform.   This vulnerability may allow remote users to  retrieve
    files  on  the  System  Data  Repository  (SDR)  machine,  thereby
    allowing remote users to gain access to the system.

    The System Data Repository (SDR) is a SP subsystem that stores  SP
    configuration  and   some  operational   information.    The   SDR
    information  is  stored  on  a  Control  Workstation,  but is made
    available   through   a    client/server   interface   to    other
    network-connected  nodes.   In  most  cases,  SDR  interaction  is
    performed  using  the  SDR  command-line  interface.  However, the
    "sdrd"  daemon  allows  other   nodes  to  make  request   without
    performing any authentication.   This security flaw allows  anyone
    to  use  the  retrieve  file  command  to  get any file on the SRD
    system.

SOLUTION

    The only alternative is to download and install the patch provided
    by IBM:

        ftp://aix.software.ibm.com/aix/efixes/security/sdrd.tar.Z