[QSA-1209233] Slurm vulnerabilities
Qlustar Security Advisory 1209233
December 9th, 2023
Summary:
Slurm vulnerabilities
Package(s) : qlustar-module-slurm-focal-amd64-12.0.3,
qlustar-module-slurm-jammy-amd64-13.1,
qlustar-module-slurm-centos8-amd64-13.1
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : Privilege escalation
Problem type : local
Qlustar-specific : no
CVE Id(s) : CVE-2023-41914
Relevant to Qlustar 12.0 and 13
A number of race conditions have been identified within the slurmd/slurmstepd processes that can lead to the user taking ownership of an arbitrary file on the system. A related issue can lead to the user overwriting an arbitrary file on the compute node (although with data that is not directly under their control). A related issue can also lead to the user deleting all files and sub-directories of an arbitrary target directory on the compute node.
François Diakhate (CEA) reported the original issue and subsequently, a number of related issues were found during an extensive audit of Slurm’s filesystem handling code in reaction to that report. They are included here in this same disclosure.
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
qlustar-module-slurm-jammy-amd64-13.1 13.1.2-b569f1521
qlustar-module-slurm-centos8-amd64-13.1 13.1.2-b569f1521
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.3 12.0.3.1-b566f1520