[lustre-announce] IMPORTANT: Warning re Lustre Security Exploit
Peter Jones
pjones at whamcloud.com
Tue Feb 27 11:08:09 PST 2024
A security exploit has recently been identified that affects a wide range of Lustre releases.
The key points are as follows:
Scope of Issue:
Users can gain access to files/folders in the filesystem that they should not have permission to access based on their user/group ID file access permissions, leading to potential data compromise or privilege escalation. This does not allow access to files that are outside a subdirectory mountpoint/nodemap that are not visible in the client mountpoint.
This security vulnerability has been reserved as CVE-2023-51786 in the U.S. NIST National Vulnerability Database. This reference will be published shortly after this announcement to allow some time for mitigations to be put in place.
Exposure to Issue:
Exposure to the exploit depends upon Lustre version running on the servers and clients, and the distro/kernel running on the client.
To be exposed to the issue, the filesystem must be running software versions in ALL THREE of the columns in the below table
Lustre Server Version
Lustre Client Version
Lustre Client Linux Distribution
2.14 – 2.15.3
2.12 – 2.15.3
RHEL 8.x
RHEL 9.x
SLES12 SP3 and later
SLES15 SPx
Ubuntu 18.04
Ubuntu 20.04
Ubuntu 22.04
Mitigation Options:
Any one of the below options will mitigate the issue.
1. Disable User Namespaces (see below)
2. Upgrade all clients to a Lustre version including a fix (e.g.. 2.15.4)
3. Upgrade servers to a Lustre version including a fix for this issue (e.g. 2.15.4)
How to Disable User Namespaces
As a temporary workaround until a patched client and/or server can be deployed, to immediately disable user namespaces on unpatched clients run the following command as root on all client nodes:
sysctl -w user.max_user_namespaces=0
To make this setting persistent across client reboots, run the following command as root on all clients or otherwise create and install /etc/sysctl.d/99-diable-user-ns.conf on affected client nodes:
echo "user.max_user_namespaces = 0" > /etc/sysctl.d/99-disable-user-ns.conf
This setting will completely disable user namespaces on that client, which may cause Docker and other virtualization containers, or other applications utilizing the user namespaces functionality to fail or run improperly.
To re-enable user namespaces on each client after it has been upgraded to a release containing the fix, or on all clients after the servers have been upgraded, run the following commands as root on each client:
rm –f /etc/sysctl.d/99-disable-user-ns.conf
sysctl –w user.max_user_namespaces=10000
Or otherwise remove the 99-disable-user-ns.conf file and the default user namespace settings will be enabled on the next reboot of the client node.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-announce-lustre.org/attachments/20240227/7db2470b/attachment-0001.htm>
More information about the lustre-announce
mailing list