EGI CSIRT:Alerts/Lustre-2014-04-07
Jump to navigation
Jump to search
EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20140407] Title: EGI SVG Advisory 'High' RISK - Vulnerability announced in Lustre [EGI- ADV-20140407] Date: 2014-04-07 Updated: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/Lustre-2014-04-07 or Introduction ============ A vulnerability was found in Lustre which allows a user to access another user's files. [R 1] This was fixed by the software providers on 14th March 2014, see [R 2], [R 3] Details ======= Details are available at [R 1] [R 2] [R 3] Risk category ============= This issue has been assessed as 'High' risk by the EGI CSIRT and EGI SVG Risk Assessment Team. Affected software ================= Lustre file system. Component installation information ================================== See [R 2] [R 3] Recommendations =============== Sites using Lustre should update as soon as possible, if they have not done so since 14th March 2014. Other information ================= CSIRT will not monitor for updated versions. It is up to sites deploying Lustre to ensure they update. Credit ====== EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa References ========== [R 1] https://jira.hpdd.intel.com/browse/LU-4703 [R 2] https://lists.01.org/pipermail/hpdd-discuss/2014-March/000903.html [R 3] https://lists.01.org/pipermail/hpdd-discuss/2014-March/000904.html Timeline ======== Yyyy-mm-dd 2014-03-14 Lustre vulnerability fixed by software providers 2014-03-31 EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa 2014-04-03 EGI SVG considered 'High' risk, therefore recommended alerting sites. 2014-04-07 Alert issued. On behalf of the EGI CSIRT and SVG