User login
Qlustar: Install and enjoy!

[QSA-0507183] slurmdbd vulnerability

Qlustar Security Advisory 0507183

May 7th, 2018


Summary:

The system could be made to run programs as an administrator and possible data loss.


    Package(s)       : slurmdbd
    Qlustar releases : 10.0
    Affected versions: All versions prior to this update
    Vulnerability    : privilege escalation / data loss
    Problem type     : local
    Qlustar-specific : no
    CVE Id(s)        : CVE-2018-7033
  

Several issues were discovered with incomplete sanitization of user-provided text strings in the Slurm database daemon, which could potentially lead to SQL injection attacks against SlurmDBD itself. Such exploits could lead to a loss of accounting data, or escalation of user privileges on Qlustar clusters where Slurm is installed.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions, but note that the update only needs to be done on the cluster head-node):

    slurmdbd    17.02.10-ql.1+xenial
  
glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587p08