It was discovered [1] that the Linux kernel modules esp4, esp6 and rxrpc contain a logic flaw allowing a local attacker to escalate privileges to root. All Qlustar 13 and 14 Ubuntu releases are vulnerable to this bug. On Qlustar 13 Ubuntu releases the public exploit does not work though. To mitigate the issue until kernel updates are made available please proceed as follows:

On the head-node execute:

$ cat > /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules << EOF
#!/bin/bash
modules_to_be_removed="esp4 esp6 rxrpc"
for mod in \$modules_to_be_removed; do
  mod_paths=\$(find /usr/lib/modules/\$(uname -r) -name "\$mod.*")
  if [ -n "\$mod_paths" ]; then
    echo "Found vulnerable kernel module \$mod ==> Removing it"
    echo \$mod_paths | xargs rm -f
  fi
  rmmod \$mod > /dev/null 2>&1
done
EOF

$ chmod 755 /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules

Then on all running cluster nodes including the head-node execute:

$ /etc/qlustar/common/rc.boot/01-remove-vulnerable-kernel-modules

These changes will prevent loading the faulty kernel modules, which are not needed on any standard Qlustar HPC/AI/Storage cluster setup.

[1] https://dirtyfrag.io