[QSA-0808221] Linux kernel vulnerabilities

Qlustar Security Advisory 0808221

August 8th, 2022


Summary:

The system could crash or be made to run programs as an administrator.


Package(s)       : linux-image-ql-generic,
                   qlustar-module-core-bionic-amd64-11.0.1,
                   qlustar-module-core-focal-amd64-12.0.1,
                   qlustar-module-core-centos7-amd64-12.0.1,
                   qlustar-module-core-centos8-amd64-12.0.1
Qlustar releases : 11.0, 12.0
Affected versions: All versions prior to this update
Vulnerability    : privilege escalation/denial of service
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : Not documented

A number of vulnerabilities and bugs have been discovered in the 5.4.x Linux kernel series since the last Qlustar 12.0 release based on 5.4.199. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 5.4.199 up to the current Qlustar kernel 5.4.209:

Linux kernel 5.4.209
Linux kernel 5.4.208
Linux kernel 5.4.207
Linux kernel 5.4.206
Linux kernel 5.4.205
Linux kernel 5.4.204
Linux kernel 5.4.203
Linux kernel 5.4.202
Linux kernel 5.4.201
Linux kernel 5.4.200

A number of vulnerabilities and bugs have been discovered in the 4.19.x Linux kernel series since the last Qlustar 11.0 release based on 4.19.248. They may lead to a denial of service or privilege escalation. Please check the following web pages that contain details of the fixes in each release after 4.19.248 up to the current Qlustar kernel 4.19.254:

Linux kernel 4.19.254
Linux kernel 4.19.253
Linux kernel 4.19.252
Linux kernel 4.19.251
Linux kernel 4.19.250
Linux kernel 4.19.249

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0

linux-image-ql-generic                     5.4.209-ql-generic-12.0-19
qlustar-module-core-focal-amd64-12.0.1     12.0.1.0-b548f1441
qlustar-module-core-centos7-amd64-12.0.1   12.0.1.0-b548f1441
qlustar-module-core-centos8-amd64-12.0.1   12.0.1.0-b548f1441

For Qlustar 11.0

linux-image-ql-generic                     4.19.254-ql-generic-11.0-33
qlustar-module-core-bionic-amd64-11.0.1    11.0.1.17-b549f1440

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
    

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs
    

    before rebooting the whole cluster.

  • On Qlustar 11: Also perform the manual steps ‘7. Migration to GRUB PXE booting’ and ‘11. Adjust root bash shell initialization’ as described in the Release Notes if you haven’t done so yet.