Bugzilla – Bug 1186024
[Slurm] VUL-0: CVE-2021-31215: slurm_20_11,slurm,slurmlibs,slurm_20_02,slurm_18_08: SchedMD Slurm allows remote code execution as SlurmUser
Last modified: 2023-09-11 12:12:08 UTC
CVE-2021-31215 SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31215 https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html https://www.schedmd.com/news.php?id=248#OPT_248
Affected packages: - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02 N/A - SUSE:SLE-15-SP1:Update/slurm_20_02 N/A - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11 N/A - SUSE:SLE-15-SP1:Update/slurm_20_11 N/A - SUSE:SLE-15-SP2:Update/slurm_20_11 N/A - SUSE:SLE-15-SP2:Update/slurm 20.02.6 - SUSE:SLE-15-SP3:Update/slurm 20.11.5 - openSUSE:Factory/slurm 20.11.5 Upstream patch [0]. [0] https://github.com/SchedMD/slurm/commit/a9e9e2fedbd200ca545ab67dd753bd52c919f236.patch
I'm not sure, but I guess the following packages could be affected as well, but the vulnerable code is in a different location: src/slurmctld/job_scheduler.c - SUSE:SLE-12-SP2:GA:Products:Update/slurm - SUSE:SLE-15:Update/slurm - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08 - SUSE:SLE-15:Update/slurm_18_08 - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs Can you, as maintainer of this package, confirm that? Thanks
The default configuration which we deliver starting with 18_08 is not vulnerable as the Prolog and Epilog options are not set. Still this options could have been changed by the customer or inherited by the 17.02 default configuration. Customers should disable them until a fix is delivered.
This is an autogenerated message for OBS integration: This bug (1186024) was mentioned in https://build.opensuse.org/request/show/893087 Factory / slurm
Hi Christian, (In reply to Christian Goll from comment #3) > The default configuration which we deliver starting with 18_08 is not > vulnerable as the Prolog and Epilog options are not set. > Still this options could have been changed by the customer or inherited by > the 17.02 default configuration. > Customers should disable them until a fix is delivered. If I've not misunderstood, you're confirming the following packages contains the affected code, which it won't be triggered thanks to out default configuration. - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02 - SUSE:SLE-15-SP1:Update/slurm_20_02 - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11 - SUSE:SLE-15-SP1:Update/slurm_20_11 - SUSE:SLE-15-SP2:Update/slurm_20_11 - SUSE:SLE-15-SP2:Update/slurm - SUSE:SLE-15-SP3:Update/slurm - openSUSE:Factory/slurm - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08 - SUSE:SLE-15:Update/slurm_18_08 Could you share your opinion regarding the following packages: - SUSE:SLE-12-SP2:GA:Products:Update/slurm v.17.02.11 - SUSE:SLE-15:Update/slurm v.17.11.13 - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs v.16.05.8.1 We need all the packages to be patched, because (as you already pointed out) the default configuration can be changed by our customers. Thanks for your input.
(In reply to Gianluca Gabrielli from comment #7) > Hi Christian, > > (In reply to Christian Goll from comment #3) > > The default configuration which we deliver starting with 18_08 is not > > vulnerable as the Prolog and Epilog options are not set. > > Still this options could have been changed by the customer or inherited by > > the 17.02 default configuration. > > Customers should disable them until a fix is delivered. > > If I've not misunderstood, you're confirming the following packages contains > the affected code, which it won't be triggered thanks to out default > configuration. > > - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02 > - SUSE:SLE-15-SP1:Update/slurm_20_02 > - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11 > - SUSE:SLE-15-SP1:Update/slurm_20_11 > - SUSE:SLE-15-SP2:Update/slurm_20_11 > - SUSE:SLE-15-SP2:Update/slurm > - SUSE:SLE-15-SP3:Update/slurm > - openSUSE:Factory/slurm > - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08 > - SUSE:SLE-15:Update/slurm_18_08 > > Could you share your opinion regarding the following packages: > > - SUSE:SLE-12-SP2:GA:Products:Update/slurm v.17.02.11 > - SUSE:SLE-15:Update/slurm v.17.11.13 > - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs v.16.05.8.1 > > We need all the packages to be patched, because (as you already pointed out) > the default configuration can be changed by our customers. > > Thanks for your input. With more research on this topic I think the impact is low, as one have run a vulnerable script with the option SlurmctldProlog or SlurmctldEpilog. The patch wich fixes this issue also leads to the suggestion that one also have to use a so called spank plugin which manipulates the environments variable for the SlurmctldProlog or SlurmctldEpilog script. I still have to find out, if the v17 and v16 are really vulnerable or not. Still the overall attack surface seems to be low, from my point of view, but I will try to fix these packages.
SUSE-SU-2021:1791-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1180700,1185603,1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_20_11-20.11.7-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1793-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1180700,1185603,1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm_20_11-20.11.7-3.11.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm_20_11-20.11.7-3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1789-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_20_02-20.02.7-3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1787-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm-17.02.11-6.50.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1790-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm_20_02-20.02.7-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm_20_02-20.02.7-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1788-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 12 (src): slurm_18_08-18.08.9-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1811-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm-18.08.9-3.19.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm-18.08.9-3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1810-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 15-SP2 (src): slurm-20.02.7-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0821-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: openSUSE Leap 15.2 (src): slurm-20.02.7-lp152.2.6.1
SUSE-SU-2021:1855-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): slurm-17.11.13-6.37.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): slurm-17.11.13-6.37.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): slurm-17.11.13-6.37.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): slurm-17.11.13-6.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1856-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise High Performance Computing 15-LTSS (src): slurm_18_08-18.08.9-1.14.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): slurm_18_08-18.08.9-1.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2295-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 1180700,1185603,1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 15-SP2 (src): slurm_20_11-20.11.7-6.5.1 SUSE Linux Enterprise High Performance Computing 15-SP2 (src): slurm_20_11-20.11.7-6.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2473-1: An update that solves one vulnerability and has one errata is now available. Category: security (important) Bug References: 1180700,1186024 CVE References: CVE-2021-31215 JIRA References: Sources used: SUSE Linux Enterprise Module for HPC 15-SP3 (src): slurm-20.11.7-4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed.