CVE-2019-20427

Name of the Vulnerable Software and Affected Versions Lustre file system versions prior to 2.12.3

Description The issue is related to a buffer overflow and panic, and possibly remote code execution, in the ptlrpc module due to the lack of validation for specific fields of packets sent by a client. This occurs because of an interaction between req capsule get size and tgt brw write that leads to a tgt shortio2pages integer signedness error.

Recommendations For versions prior to 2.12.3, update to version 2.12.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ptlrpc module to minimize the risk of exploitation.