[QSA-0424233] NVIDIA driver vulnerabilities

Qlustar Security Advisory 0424233

April 24th, 2023

Summary:

Nvidia vulnerabilities

Package(s)       : nvidia-graphics-drivers
                   qlustar-module-nvidia-jammy-amd64-13.0
                   qlustar-module-nvidia-centos8-amd64-13.0
                   qlustar-module-nvidia-focal-amd64-12.0.2
                   qlustar-module-nvidia-centos7-amd64-12.0.2
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : Privilege escalation
Problem type     : network
Qlustar-specific : no
CVE Id(s)        : See list mentioned below.

Relevant to Qlustar 12.0 and 13

NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The full list of fixes is listed here .

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 12.0 and 13

nvidia-graphics-drivers                      525.105.17-ql.1
qlustar-module-nvidia-jammy-amd64-13.0       13.0.3-b565f1486
qlustar-module-nvidia-centos8-amd64-13.0     13.0.3-b565f1486
qlustar-module-nvidia-focal-amd64-12.0.2     12.0.2.3-b566f1487
qlustar-module-nvidia-centos7-amd64-12.0.2   12.0.2.3-b566f1487

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

  • On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute 
    # openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter

    To regenerate the certificate with unlimited validity execute

    # qluman-ldap-cli --update-certs

    before rebooting the whole cluster.
    Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.