Difference between revisions of "EGI CSIRT:Alerts/Lustre-2014-04-07"
Jump to navigation
Jump to search
(2 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
EGI CSIRT ADVISORY [EGI-ADV-20140407] | EGI CSIRT ADVISORY [EGI-ADV-20140407] | ||
Title: EGI SVG Advisory 'High' RISK - Vulnerability announced in Lustre [EGI- | Title: EGI SVG Advisory 'High' RISK - Vulnerability announced in Lustre | ||
[EGI-ADV-20140407] | |||
ADV-20140407] | |||
Date: 2014-04-07 | Date: 2014-04-07 | ||
Line 51: | Line 50: | ||
================= | ================= | ||
Lustre file system. | Lustre file system versions Lustre 2.4.0/2.4.1/2.4.2 | ||
This is fixed in Lustre version 2.4.3 | |||
Lustre file system version Lustre 2.5.0 | |||
This is fixed in Lustre version 2.5.1 | |||
Note that this vulnerability is thought to not exist in any release earlier than 2.4.0. | |||
Line 63: | Line 68: | ||
=============== | =============== | ||
Sites using Lustre should update as soon as possible, if they have not done so since | Sites using vulnerable versions Lustre should update as soon as possible, | ||
14th March 2014. | if they have not done so since 14th March 2014. | ||
Other information | Other information | ||
Line 70: | Line 75: | ||
CSIRT will not monitor for updated versions. It is up to sites deploying Lustre to | CSIRT will not monitor for updated versions. It is up to sites deploying Lustre to | ||
ensure they update. | |||
Latest revision as of 15:37, 7 April 2014
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20140407] Title: EGI SVG Advisory 'High' RISK - Vulnerability announced in Lustre [EGI-ADV-20140407] Date: 2014-04-07 Updated: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Lustre-2014-04-07 Introduction ============ A vulnerability was found in Lustre which allows a user to access another user's files. [R 1] This was fixed by the software providers on 14th March 2014, see [R 2], [R 3] Details ======= Details are available at [R 1] [R 2] [R 3] Risk category ============= This issue has been assessed as 'High' risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= Lustre file system versions Lustre 2.4.0/2.4.1/2.4.2 This is fixed in Lustre version 2.4.3 Lustre file system version Lustre 2.5.0 This is fixed in Lustre version 2.5.1 Note that this vulnerability is thought to not exist in any release earlier than 2.4.0. Component installation information ================================== See [R 2] [R 3] Recommendations =============== Sites using vulnerable versions Lustre should update as soon as possible, if they have not done so since 14th March 2014. Other information ================= CSIRT will not monitor for updated versions. It is up to sites deploying Lustre to ensure they update. Credit ====== EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa References ========== [R 1] https://jira.hpdd.intel.com/browse/LU-4703 [R 2] https://lists.01.org/pipermail/hpdd-discuss/2014-March/000903.html [R 3] https://lists.01.org/pipermail/hpdd-discuss/2014-March/000904.html Timeline ======== Yyyy-mm-dd 2014-03-14 Lustre vulnerability fixed by software providers 2014-03-31 EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa 2014-04-03 EGI SVG considered 'High' risk, therefore recommended alerting sites. 2014-04-07 Alert issued. On behalf of the EGI CSIRT and SVG