CVE-2019-20423

Name of the Vulnerable Software and Affected Versions Lustre file system versions prior to 2.12.3

Description The issue arises from a buffer overflow and panic in the ptlrpc module due to the lack of validation for specific fields of packets sent by a client. This occurs because the function target handle connect() mishandles a certain size value when a client connects to a server, resulting from an integer signedness error.

Recommendations For versions prior to 2.12.3, update to version 2.12.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ptlrpc module to minimize the risk of exploitation.