Lucene search

Ubuntu.comUB:CVE-2019-20427

HistoryJan 27, 2020 - 12:00 a.m.

CVE-2019-20427

2020-01-2700:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.6%

JSON

In the Lustre file system before 2.12.3, the ptlrpc module has a buffer
overflow and panic, and possibly remote code execution, due to the lack of
validation for specific fields of packets sent by a client. Interaction
between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages
integer signedness error.

Notes

Author	Note
sbeattie	lustre was removed from the upstream staging tree in 4.18 (be65f9ed267fd7d8b3146b7c4be9ecdd3e0aa3ed)
cascardo	The affected code was never part of linux, as the staging driver was only the client side.

References

lustre.org/

wiki.lustre.org/Lustre_2.12.3_Changelog

jira.whamcloud.com/browse/LU-12600

launchpad.net/bugs/cve/CVE-2019-20427

nvd.nist.gov/vuln/detail/CVE-2019-20427

review.whamcloud.com/#/c/35867/

security-tracker.debian.org/tracker/CVE-2019-20427

www.cve.org/CVERecord?id=CVE-2019-20427

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.6%

JSON

Related for UB:CVE-2019-20427