Bug 1199278 (CVE-2022-29500)

Summary: VUL-0: CVE-2022-29500: slurm_20_02,slurm_18_08,slurm_20_11,slurm,slurmlibs: architectural flaw can be exploited to allow an unprivileged user to execute arbitrary processes as root
Product: [Novell Products] SUSE Security Incidents Reporter: Hu <cathy.hu>
Component: IncidentsAssignee: HPC Issue Tracker <hpc-bugs>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: gabriele.sonnu, hpc-bugs, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/330835/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-29500:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-05-06 12:08:02 UTC 
rh#2082284

An architectural flaw with how credentials are handled can be exploited 
to allow an unprivileged user to impersonate the SlurmUser account. 
Access to the SlurmUser account can be used to execute arbitrary 
processes as root.

This issue impacts all Slurm releases since at least Slurm 1.0.0.

Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd 
processes have been restarted in the cluster.

Once all daemons have been upgraded sites are encouraged to add 
"block_null_hash" to CommunicationParameters. That new option provides 
additional protection against a potential exploit.

https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2082284
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29500
https://www.schedmd.com/news.php?id=260
https://lists.schedmd.com/pipermail/slurm-announce/
https://www.schedmd.com/news.php
Comment 1 Hu 2022-05-06 12:10:29 UTC 
Affected:
- SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs          16.05.8.1
- SUSE:SLE-12-SP2:GA:Products:Update/slurm              17.02.11
- SUSE:SLE-15:Update/slurm                              17.11.13
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08        18.08.9
- SUSE:SLE-15-SP1:Update/slurm                          18.08.9
- SUSE:SLE-15:Update/slurm_18_08                        18.08.9
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02        20.02.7
- SUSE:SLE-15-SP1:Update/slurm_20_02                    20.02.7
- SUSE:SLE-15-SP2:Update/slurm                          20.02.7
- openSUSE:Backports:SLE-15-SP3/slurm                   20.11.5
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11        20.11.7
- SUSE:SLE-15-SP2:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP1:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP3:Update/slurm                          20.11.7
- openSUSE:Factory/slurm                                21.08.7
Comment 5 OBSbugzilla Bot 2022-05-11 12:40:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1199278) was mentioned in
https://build.opensuse.org/request/show/976280 Factory / slurm
Comment 6 Swamp Workflow Management 2022-05-16 13:39:17 UTC 
SUSE-SU-2022:1666-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.11.9-150300.4.6.1
openSUSE Leap 15.3 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP4 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    slurm-20.11.9-150300.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-05-18 19:24:01 UTC 
SUSE-SU-2022:1726-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_11-20.11.9-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-05-23 16:19:49 UTC 
SUSE-SU-2022:1815-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_11-20.11.9-150100.3.14.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_11-20.11.9-150100.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-05-24 13:16:25 UTC 
SUSE-SU-2022:1831-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_11-20.11.9-150200.6.10.1
openSUSE Leap 15.3 (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm_20_11-20.11.9-150200.6.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Egbert Eich 2022-07-22 10:19:51 UTC 
Gabriele, we have been working on these backports - they are hefty and require thorough testing.
Presently, we are blocked by the server room outages where the machines live we need for testing.
Comment 16 Egbert Eich 2022-09-24 09:46:29 UTC 
Updates for Slurm 17.11 (SUSE:SLE-15:Update) and 17.02 (SUSE:SLE-12-SP2:GA:Products:Update) have just been pushed:
17.11 - SR#280673
17.02 - SR#280683
This concludes the series of updates.
We will not publish an update for libslurm 16.05 as this doesn't really make sense:
libslurm doesn't provide a library API only, it also provides a wire protocol. The latter has only limited backward compatibility and thus applications built against libslurm for Slurm 16.05 may not work. We have succeeded Slurm 16.05 by 17.02, thus anyone installing Slurm on SLE-12 service packs (or update it) will get 17.02.

We do not ship any package linking against libslurm from Slurm 16.08.
It should be release noted that users who use self-built software linking against this version (libslurm29) should rebuild their software.
Comment 18 Swamp Workflow Management 2022-09-28 16:20:27 UTC 
SUSE-SU-2022:3454-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_18_08-18.08.9-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-09-29 13:21:19 UTC 
SUSE-SU-2022:3468-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-18.08.9-150100.3.22.1
openSUSE Leap 15.3 (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm-18.08.9-150100.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-09-29 13:24:46 UTC 
SUSE-SU-2022:3462-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_18_08-18.08.9-150000.1.17.1
openSUSE Leap 15.3 (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm_18_08-18.08.9-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-09-30 13:21:19 UTC 
SUSE-SU-2022:3477-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_02-20.02.7-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2022-10-03 10:19:01 UTC 
SUSE-SU-2022:3490-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.02.7-150200.3.14.2
openSUSE Leap 15.3 (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm-20.02.7-150200.3.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2022-10-03 16:22:03 UTC 
SUSE-SU-2022:3491-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_02-20.02.7-150100.3.24.1
openSUSE Leap 15.3 (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_02-20.02.7-150100.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2022-10-04 13:27:07 UTC 
SUSE-SU-2022:3497-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.11-6.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2022-10-06 13:30:37 UTC 
SUSE-SU-2022:3535-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-17.11.13-150000.6.40.1
openSUSE Leap 15.3 (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm-17.11.13-150000.6.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.