[QSA-0524223] Slurm vulnerabilities

Qlustar Security Advisory 0524223

May 24th, 2022


Summary:

Slurm vulnerabilities

Package(s)       : slurmctld
                   slurmdbd
                   qlustar-module-slurm-focal-amd64-12.0.0
                   qlustar-module-slurm-centos7-amd64-12.0.0
                   qlustar-module-slurm-centos8-amd64-12.0.0
Qlustar releases : 12.0
Affected versions: All versions prior to this update
Vulnerability    : Privilege escalation
Problem type     : network
Qlustar-specific : no
CVE Id(s)        : CVE-2022-29500, CVE-2022-29501

Relevant to Qlustar 11.0 and 12.0

An architectural flaw with how credentials are handled can be exploited to allow an unprivileged user to impersonate the SlurmUser account. Access to the SlurmUser account can be used to execute arbitrary processes as root. (CVE-2022-29501)

Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd processes have been restarted in the cluster. Once all daemons have been upgraded sites are encouraged to add “block_null_hash” to CommunicationParameters. That new option provides additional protection against a potential exploit.

An issue was discovered with a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. This vulnerability could allow an unprivileged user to send data to an arbitrary unix socket on the host as the root user. (CVE-2022-29501)

Users of Qlustar 11.0 should update to Qlustar 12.0 to have these vulnerabilities fixed. They won’t be fixed for 11.0, since the necessary changes are too intricate.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0

slurmctld                                   21.08.8.2-ql.1+12-focal
slurmdbd                                    21.08.8.2-ql.1+12-focal
qlustar-module-slurm-focal-amd64-12.0.0     12.0.0.11-b547f1433
qlustar-module-slurm-centos7-amd64-12.0.0   12.0.0.11-b547f1433
qlustar-module-slurm-centos8-amd64-12.0.0   12.0.0.11-b547f1433

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12: Also write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
    

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs
    

    before rebooting the whole cluster.