[QSA-0822242] Security Update Bundle
Qlustar Security Advisory 0822242
August 22nd, 2024
Summary:
A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS/AlmaLinux.
Package(s) : see upstream description of individual package
Qlustar releases : 12.0, 13
Affected versions: All versions prior to this update
Vulnerability : see upstream description of individual package
Problem type : see upstream description of individual package
Qlustar-specific : no
CVE Id(s) : see upstream description of individual package
This update includes several security related package updates from Debian/Ubuntu and CentOS/AlmaLinux. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.
Relevant to Qlustar 13 and 12.0
QEMU vulnerabilities
Markus Frank and Fiona Ebner discovered that QEMU did not properly handle certain memory operations, leading to a NULL pointer dereference. An authenticated user could potentially use this issue to cause a denial of service.
Xiao Lei discovered that QEMU did not properly handle certain memory operations when specific features were enabled, which could lead to a stack overflow. An attacker could potentially use this issue to leak sensitive information.
It was discovered that QEMU had an integer underflow vulnerability in the TI command, which would result in a buffer overflow. An attacker could potentially use this issue to cause a denial of service.
curl vulnerability
Dov Murik discovered that curl incorrectly handled parsing ASN.1 Generalized Time fields. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents.
OpenSSL vulnerabilities
It was discovered that OpenSSL incorrectly handled TLSv1.3 sessions when certain non-default TLS server configurations were in use. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service.
It was discovered that OpenSSL incorrectly handled checking excessively long DSA keys or parameters. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service.
William Ahern discovered that OpenSSL incorrectly handled certain memory operations in a rarely-used API. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.
Joseph Birr-Pixton discovered that OpenSSL incorrectly handled calling a certain API with an empty supported client protocols buffer. A remote attacker could possibly use this issue to obtain sensitive information, or cause OpenSSL to crash, resulting in a denial of service.
Python vulnerabilities
It was discovered that the Python ssl module contained a memory race condition when handling the APIs to obtain the CA certificates and certificate store statistics. This could possibly result in applications obtaining wrong results, leading to various SSL issues.
It was discovered that the Python ipaddress module contained incorrect information about which IP address ranges were considered “private” or “globally reachable”. This could possibly result in applications applying incorrect security policies.
Apache HTTP Server vulnerability
It was discovered that the Apache HTTP Server incorrectly handled certain handlers configured via AddType. A remote attacker could possibly use this issue to obtain source code.
Python vulnerabilities
Devin Jeanpierre discovered that Python incorrectly handled sockets when the multiprocessing module was being used. A local attacker could possibly use this issue to execute arbitrary code and escalate privileges.
It was discovered that Python incorrectly handled certain inputs. If a user or an automated system were tricked into running a specially crafted input, a remote attacker could possibly use this issue to cause a denial of service.
It was discovered that Python instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake. An attacker could possibly use this issue to cause applications to treat unauthenticated received data before TLS handshake as authenticated data after TLS handshake.
It was discovered that Python incorrectly handled null bytes when normalizing pathnames. An attacker could possibly use this issue to bypass certain filename checks.
It was discovered that Python incorrectly handled symlinks in temp files. An attacker could possibly use this issue to modify the permissions of files.
It was discovered that Python incorrectly handled certain crafted zip files. An attacker could possibly use this issue to crash the program, resulting in a denial of service.
Apache HTTP Server vulnerabilities
Marc Stern discovered that the Apache HTTP Server incorrectly handled serving WebSocket protocol upgrades over HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service.
Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly sent certain request URLs with incorrect encodings to backends. A remote attacker could possibly use this issue to bypass authentication.
Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions.
Orange Tsai discovered that the Apache HTTP Server incorrectly handled certain response headers. A remote attacker could possibly use this issue to obtain sensitive information, execute local scripts, or perform SSRF attacks.
Orange Tsai discovered that the Apache HTTP Server mod_proxy module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service.
It was discovered that the Apache HTTP Server incorrectly handled certain handlers configured via AddType. A remote attacker could possibly use this issue to obtain source code.
AlmaLinux 8.10 security updates
Please check the AlmaLinux Errata site for details about AlmaLinux 8 updates that entered this release (everything from June 25th until August 22nd).
Update instructions:
The problem can be corrected by updating your system to the following or more recent package versions:
For Qlustar 13
qlustar-module-core-jammy-amd64-13.2 13.2.1-b569f1546
qlustar-module-core-centos8-amd64-13.2 13.2.1-b569f1546
For Qlustar 12.0
qlustar-module-core-focal-amd64-12.0.3 12.0.3.7-b566f1547
Special Update instructions:
In addition to the steps described in the general Qlustar Update Instructions these updates require the following:
- On Qlustar 12, also perform the following manual steps if you haven’t done so yet: Write the
dnsmasq and slurm config with QluMan before rebooting. If your cluster was installed with a
release earlier than 12.0.0.8-b546f1425 you will have to generate new LDAP certificates at
some point since the earlier ones were generated with a 1 year validity. Now they are
generated with an unlimited validity. To check the expiration date execute
# openssl x509 -dates -in /etc/ssl/certs/qlustar-ca-cert.pem | grep notAfterTo regenerate the certificate with unlimited validity execute
# qluman-ldap-cli --update-certsbefore rebooting the whole cluster.
Please note that we no longer provide 12.x AlmaLinux 8 modules for Qlustar 12. If you want to use AlmaLinux 8 under Qlustar 12, please switch to the 13.x image modules and create a corresponding chroot for it.