[QSA-0929232] Security Update Bundle

Qlustar Security Advisory 0929232

September 29th, 2023

Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.

Package(s)       : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : see upstream description of individual package
Problem type     : see upstream description of individual package
Qlustar-specific : no
CVE Id(s)        : see upstream description of individual package

This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 13 and 12.0

file vulnerability

It was discovered that file incorrectly handled certain malformed files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.

GRUB2 vulnerabilities

Daniel Axtens discovered that specially crafted images could cause a heap-based out-of-bonds write. A local attacker could possibly use this to circumvent secure boot protections.

Daniel Axtens discovered that specially crafted images could cause out-of-bonds read and write. A local attacker could possibly use this to circumvent secure boot protections.

Daniel Axtens discovered that specially crafted images could cause buffer underwrite which allows arbitrary data to be written to a heap. A local attacker could possibly use this to circumvent secure boot protections.

It was discovered that GRUB2 configuration files were created with the wrong permissions. An attacker could possibly use this to leak encrypted passwords.

Daniel Axtens discovered that specially crafted IP packets could cause an integer underflow and write past the end of a bugger. An attacker could possibly use this to circumvent secure boot protections.

Daniel Axtens discovered that specially crafted HTTP headers can cause an out-of-bounds write of a NULL byte. An attacker could possibly use this to corrupt GRUB2’s internal data.

Julian Andres Klode discovered that GRUB2 shim_lock allowed non- kernel files to be loaded. A local attack could possibly use this to circumvent secure boot protections.

Chris Coulson discovered that executing chainloaders more than once caused a use-after-free vulnerability. A local attack could possibly use this to circumvent secure boot protections.

Chris Coulson discovered that specially crafted executables could cause shim to make out-of-bound writes. A local attack could possibly use this to circumvent secure boot protections.

Zhang Boyang discovered that specially crafted unicode sequences could lead to an out-of-bounds write to a heap. A local attacker could possibly use this to circumvent secure boot protections.

Python vulnerability

It was discovered that Python did not properly handle XML entity declarations in plist files. An attacker could possibly use this vulnerability to perform an XML External Entity (XXE) injection, resulting in a denial of service or information disclosure.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information.

It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

Vim vulnerabilities

It was discovered that Vim incorrectly handled memory when opening certain files. If an attacker could trick a user into opening a specially crafted file, it could cause Vim to crash, or possibly execute arbitrary code.

It was discovered that Vim did not properly perform bounds checks in the diff mode in certain situations. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim did not properly perform bounds checks in certain situations. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory when skipping compiled code. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory when invalid line number on “:for” is ignored. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory when passing invalid arguments to the assert_fails() method. An attacker could possibly use this issue to cause a denial of service.

Vim vulnerabilities

It was discovered that Vim incorrectly handled memory when deleting buffers in diff mode. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory access. An attacker could possibly use this issue to cause the corruption of sensitive information, a crash, or arbitrary code execution.

It was discovered that Vim incorrectly handled memory when using nested :source. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim did not properly perform bounds checks when processing a menu item with the only modifier. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim did not properly perform bounds checks when going over the end of the typahead. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim did not properly perform bounds checks when reading the provided string. An attacker could possibly use this issue to cause a denial of service.

It was discovered that Vim incorrectly handled memory when adding words with a control character to the internal spell word list. An attacker could possibly use this issue to cause a denial of service.

CentOS 7.9 / AlmaLinux 8.8 security updates

Please check the CentOS mailing list for details about CentOS 7 updates and the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from July 26th until September 27th).

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-core-jammy-amd64-13.1       13.1.0-b565f1513
qlustar-module-core-centos8-amd64-13.1     13.1.0-b565f1513

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.3     12.0.3.0-b566f1512
qlustar-module-core-centos7-amd64-12.0.3   12.0.3.0-b566f1512

Special Update instructions:

In addition to the steps described in the general Qlustar Update Instructions these updates require the following:

On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at some point since the earlier ones were generated with a 1 year validity. Now they are generated with an unlimited validity. To check the expiration date execute
```
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfter
```
To regenerate the certificate with unlimited validity execute
```
# qluman-ldap-cli --update-certs
```
before rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.