[QSA-0524223] Slurm vulnerabilities
Qlustar Security Advisory 0524223
May 24th, 2022
Package(s) : slurmctld slurmdbd qlustar-module-slurm-focal-amd64-12.0.0 qlustar-module-slurm-centos7-amd64-12.0.0 qlustar-module-slurm-centos8-amd64-12.0.0 Qlustar releases : 12.0 Affected versions: All versions prior to this update Vulnerability : Privilege escalation Problem type : network Qlustar-specific : no CVE Id(s) : CVE-2022-29500, CVE-2022-29501
Relevant to Qlustar 11.0 and 12.0
An architectural flaw with how credentials are handled can be exploited to allow an unprivileged user to impersonate the SlurmUser account. Access to the SlurmUser account can be used to execute arbitrary processes as root. (CVE-2022-29501)
Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd processes have been restarted in the cluster. Once all daemons have been upgraded sites are encouraged to add “block_null_hash” to CommunicationParameters. That new option provides additional protection against a potential exploit.
An issue was discovered with a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. This vulnerability could allow an unprivileged user to send data to an arbitrary unix socket on the host as the root user. (CVE-2022-29501)
Users of Qlustar 11.0 should update to Qlustar 12.0 to have these vulnerabilities fixed. They won’t be fixed for 11.0, since the necessary changes are too intricate.
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 12.0
slurmctld 21.08.8.2-ql.1+12-focal slurmdbd 21.08.8.2-ql.1+12-focal qlustar-module-slurm-focal-amd64-12.0.0 22.214.171.124-b547f1433 qlustar-module-slurm-centos7-amd64-12.0.0 126.96.36.199-b547f1433 qlustar-module-slurm-centos8-amd64-12.0.0 188.8.131.52-b547f1433
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12: Also write the dnsmasq and slurm config with QluMan before rebooting. If your
cluster was installed with a release earlier than 184.108.40.206-b546f1425 you will have to
generate new LDAP certificates at some point since the earlier ones were generated with a 1
year validity. Now they are generated with an unlimited validity. To check the expiration
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
To regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certs
before rebooting the whole cluster.