Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
HPE XFS (CXFS) clients are missing user namespace checks for setattr on HPE systems running Linux. A process that creates a user namespace using the unshare(2) system call gets the CAP_CHOWN capability, and can change ownership of a file belonging to another user that is not mapped in the user namespace. This may occur on any administrative capability that applies to a filesystem can potentially be applied to objects stored on HPE XFS. Some examples would be using CHMOD, or applying SETUID to run a privileged binary stored on the HPE XFS filesystem. The filesystem's responsibility is to perform additional checks and ignore capabilities for unmapped users. See the following manpages for more information: capabilities(7), namespaces(7), user_namespaces(7).
Any HPE system running Linux only when an HPE XFS client in a user namespace environment uses an HPE XFS filesystem. This is not reproducible on standalone HPE XFS filesystems or on the active MDS for a shared HPE XFS (CXFS) filesystem.
Until the fix is applied, avoid the issue by performing one of the following mitigation actions: Disable user namespaces on HPE XFS clients and any backup MDS by configuring: 'sysctl user.max_user_namespaces=0' OR Do not allow HPE XFS clients to mount any HPE XFS filesystems. NFS clients and Samba clients are not affected. To avoid this issue, update the DMF Suite HPE XFS patch as follows: Patch 11804: HPE XFS 8.8.0 patch #2 for DMF Suite 4.8.0 - 14 February 2024 (or later) Patch 11805: HPE XFS 8.7.0 patch #4 for DMF Suite 4.7.0 - 26 February 2024 (or later) Patch 11806: HPE XFS 8.6.0 patch #5 for DMF Suite 4.6.0 - 26 February 2024 (or later) Patch 11807: HPE XFS 8.5.0 patch #7 for DMF Suite 4.5.0 - 01 March 2024 (or later) To download the latest applicable HPE XFS patch, perform the following steps: Click the following link: Hewlett Packard Enterprise Support Center Enter a product name (e.g., "HPE XFS") in the text search field and wait for a list of Suggested Products to display. From the Suggested Products list displayed, identify the desired product and select it. The page should refresh to display the "DRIVERS AND SOFTWARE" tab and the components that support the selected product. From the "DRIVERS AND SOFTWARE" expandable filter menus on the left side of the page: Select the Release Date Locate and select the applicable HPE XFS patch for example, HPE XFS 8.8.0 patch #2 for DMF Suite 4.8.0 (or later). Note: To ensure that you have selected the latest version of the firmware/driver, click the Revision History tab to check if a new version of the firmware/driver is available. For more important information, review the Release Notes tab. Click the Download button. RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.