<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:392697812;
mso-list-template-ids:-1829348498;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1188331133;
mso-list-template-ids:-1107102054;}
@list l2
{mso-list-id:1213158547;
mso-list-template-ids:-1869585542;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<div id="m_389106089229024940mail-editor-reference-message-container">
<div>
<div>
<div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">A security exploit has recently been identified that affects a wide range of Lustre releases.</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">The key points are as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:12.0pt;color:black">Scope of Issue</span></u><span style="font-size:12.0pt;color:black">: <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:12.0pt;color:black">Users can gain access to files/folders in the filesystem that they should not have permission to access based on their user/group ID file access permissions, leading to potential data compromise or privilege escalation.
This does <b>not</b> allow access to files that are outside a subdirectory mountpoint/nodemap that are not visible in the client mountpoint. <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white">
<span style="font-size:12.0pt;color:black">This security vulnerability has been reserved as CVE-2023-51786 in the U.S. NIST National Vulnerability Database. This reference will be published shortly after this announcement to allow some time for mitigations
to be put in place.<o:p></o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:12.0pt;color:black">Exposure to Issue:</span></u><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Exposure to the exploit depends upon Lustre version running on the servers and clients, and the distro/kernel running on the client.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">To be exposed to the issue, the filesystem must be running software versions in ALL THREE of the columns in the below table<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="margin-left:26.15pt;border-collapse:collapse">
<tbody>
<tr>
<td width="224" valign="top" style="width:167.8pt;border:solid windowtext 1.0pt;background:#7F7F7F;padding:2.15pt 2.15pt 2.15pt 2.15pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt;color:black">Lustre Server Version</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;background:#7F7F7F;padding:2.15pt 2.15pt 2.15pt 2.15pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt;color:black">Lustre Client Version</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;background:#7F7F7F;padding:2.15pt 2.15pt 2.15pt 2.15pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt;color:black">Lustre Client Linux Distribution</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">2.14 – 2.15.3</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">2.12 – 2.15.3</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">RHEL 8.x</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">RHEL 9.x</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">SLES12 SP3 and later</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">SLES15 SPx</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">Ubuntu 18.04</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border-top:none;border-left:solid windowtext 1.0pt;border-bottom:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border:none;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">Ubuntu 20.04</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="224" valign="top" style="width:167.8pt;border:solid windowtext 1.0pt;border-top:none;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt"> </span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
<td width="224" valign="top" style="width:167.85pt;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:.7pt .05in .7pt .05in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:12.0pt">Ubuntu 22.04</span><span style="font-size:12.0pt"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:12.0pt;color:black">Mitigation Options</span></u><span style="font-size:12.0pt;color:black">:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Any one of the below options will mitigate the issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo4"><span style="font-size:12.0pt">Disable User </span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">Namespaces</span><span style="font-size:12.0pt"> (see below)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo4"><span style="font-size:12.0pt">Upgrade <u>all</u> clients to a Lustre version including a fix (e.g.. 2.15.4)<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-list:l2 level1 lfo4"><span style="font-size:12.0pt">Upgrade servers to a Lustre version including a fix for this issue (e.g. 2.15.4)<o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><u><span style="font-size:12.0pt;color:black">How to Disable User </span></u><u><span style="font-size:12.0pt;color:#070706;background:#FFEE94">Namespaces</span></u><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">As a temporary workaround until a patched client and/or server can be deployed, to immediately disable user </span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black"> on
unpatched clients run the following command as root on all client nodes: <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> sysctl -w user.max_user_</span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black">=0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">To make this setting persistent across client reboots, run the following command as root on all clients or otherwise create and install /etc/sysctl.d/99-diable-user-ns.conf on affected client nodes: <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">echo "user.max_user_</span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black"> = 0" > /etc/sysctl.d/99-disable-user-ns.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">This setting will <b>completely disable user </b></span><b><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span></b><b><span style="font-size:12.0pt;color:black"> </span></b><span style="font-size:12.0pt;color:black">on
that client, which may cause Docker and other virtualization containers, or other applications utilizing the user </span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black"> functionality
to fail or run improperly.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">To re-enable user </span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black"> on each client after it has been upgraded to
a release containing the fix, or on all clients after the servers have been upgraded, run the following commands as root on each client: <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> rm –f /etc/sysctl.d/99-disable-user-ns.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"> sysctl –w user.max_user_</span><span style="font-size:12.0pt;color:#070706;background:#FFEE94">namespaces</span><span style="font-size:12.0pt;color:black">=10000<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Or otherwise remove the 99-disable-user-ns.conf file and the default user namespace settings will be enabled on the next reboot of the client node.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>