CVE-2007-6599

Name of the Vulnerable Software and Affected Versions OpenAFS versions 1.3.50 through 1.4.5 OpenAFS versions 1.5.0 through 1.5.27 openafs prior to version 1.4.6

Description A race condition in the fileserver of OpenAFS allows remote attackers to cause a denial of service by simultaneously acquiring and giving back file callbacks. This causes the handler for the GiveUpAllCallBacks RPC to perform linked-list operations without the host glock lock, leading to a daemon crash. The issue can be exploited remotely and may lead to disruption of protected information.

Recommendations For OpenAFS versions 1.3.50 through 1.4.5, update to version 1.4.6 or later. For OpenAFS versions 1.5.0 through 1.5.27, update to a version later than 1.5.27. For openafs prior to version 1.4.6, update to version 1.4.6 or later. As a temporary workaround, consider restricting access to the fileserver to minimize the risk of exploitation.