Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

EGI CSIRT:Alerts/Lustre-2014-04-07

From EGIWiki
Revision as of 15:37, 7 April 2014 by Cornwall (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
EGI-CSIRT web site EGI-CSIRT Public wiki EGI-CSIRT Contacts EGI-CSIRT Activities EGI-CSIRT Private wiki

[Alerts table ].

** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'High' RISK - Vulnerability announced in Lustre 

Date:        2014-04-07



A vulnerability was found in Lustre which allows a user to access another user's files. 

[R 1]

This was fixed by the software providers on 14th March 2014, see [R 2],  [R 3] 


Details are available at [R 1] [R 2] [R 3]

Risk category

This issue has been assessed as 'High'  risk by the EGI CSIRT and EGI SVG Risk 

Assessment Team.  

Affected software

Lustre file system versions Lustre 2.4.0/2.4.1/2.4.2
This is fixed in Lustre version 2.4.3

Lustre file system version Lustre 2.5.0
This is fixed in Lustre version 2.5.1

Note that this vulnerability is thought to not exist in any release earlier than 2.4.0.

Component installation information

See [R 2] [R 3]


Sites using vulnerable versions Lustre should update as soon as possible, 
if they have not done so since 14th March 2014.  

Other information

CSIRT will not monitor for updated versions. It is up to sites deploying Lustre to 
ensure they update. 


EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa


[R 1]

[R 2]

[R 3]


2014-03-14 Lustre vulnerability fixed by software providers
2014-03-31 EGI SVG and CSIRT were alerted to this vulnerability by Tobias Dussa 
2014-04-03 EGI SVG considered 'High' risk, therefore recommended alerting sites. 
2014-04-07 Alert issued. 

On behalf of the EGI CSIRT and SVG