[QSA-1209233] Slurm vulnerabilities

Qlustar Security Advisory 1209233

December 9th, 2023

Summary:

Slurm vulnerabilities

Package(s)       : qlustar-module-slurm-focal-amd64-12.0.3,
                   qlustar-module-slurm-jammy-amd64-13.1,
                   qlustar-module-slurm-centos8-amd64-13.1
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability    : Privilege escalation
Problem type     : local
Qlustar-specific : no
CVE Id(s)        : CVE-2023-41914

Relevant to Qlustar 12.0 and 13

A number of race conditions have been identified within the slurmd/slurmstepd processes that can lead to the user taking ownership of an arbitrary file on the system. A related issue can lead to the user overwriting an arbitrary file on the compute node (although with data that is not directly under their control). A related issue can also lead to the user deleting all files and sub-directories of an arbitrary target directory on the compute node.

François Diakhate (CEA) reported the original issue and subsequently, a number of related issues were found during an extensive audit of Slurm’s filesystem handling code in reaction to that report. They are included here in this same disclosure.

Update instructions:

The problem can be corrected by updating your system to the following or more recent package versions:

For Qlustar 13

qlustar-module-slurm-jammy-amd64-13.1      13.1.2-b569f1521
qlustar-module-slurm-centos8-amd64-13.1    13.1.2-b569f1521

For Qlustar 12.0

qlustar-module-core-focal-amd64-12.0.3     12.0.3.1-b566f1520