Bug 1085240 - (CVE-2018-7033) VUL-0: CVE-2018-7033: slurm: security release 17.02.10, and 17.11.5
(CVE-2018-7033)
VUL-0: CVE-2018-7033: slurm: security release 17.02.10, and 17.11.5
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/201811/
CVSSv3:SUSE:CVE-2018-7033:4.4:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-14 08:47 UTC by Marcus Meissner
Modified: 2022-11-04 15:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2018-03-15 20:30:04 UTC
This is an autogenerated message for OBS integration:
This bug (1085240) was mentioned in
https://build.opensuse.org/request/show/587618 Factory / slurm
Comment 4 Marcus Meissner 2018-03-15 22:09:49 UTC
https://www.schedmd.com/news.php


Slurm version 17.02.10 and 17.11.5 are now available

SchedMD News Release: Mar 15, 2018

Slurm versions 17.02.10 and 17.11.5 are now available, and include a series of recent bug fixes, as well as a fix for a recently discovered security vulnerability (CVE-2018-7033).

Downloads are available here.

Several issues were discovered with incomplete sanitization of user-provided text strings, which could potentially lead to SQL injection attacks against SlurmDBD itself. Such exploits could lead to a loss of accounting data, or escalation of user privileges on the cluster.

We believe that variations on these vulnerabilities exist in all past SlurmDBD implementations back to Slurm 1.3 when the SlurmDBD was introduced, continuing through the current supported stable releases (17.02 and 17.11).

SchedMD customers were informed on March 1st and provided a patch on request. This is in keeping with our responsible disclosure process.

The only safe mitigation, aside from installing these updated versions, is to disable slurmdbd on your system.

One additional note: some sites have reported issues when upgrading to the Slurm 17.11 release series while using MySQL version 5.1 (which was the default in RHEL 6) and older. SchedMD customers are encouraged to contact support before upgrading such systems, and/or to upgrade their MySQL installation ahead of a SlurmDBD upgrade to 17.11.
Comment 12 Swamp Workflow Management 2018-04-19 22:07:35 UTC
SUSE-SU-2018:0987-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1084125,1085240,1088693
CVE References: CVE-2018-7033
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.10-6.16.1
Comment 13 Marcus Meissner 2018-04-20 05:28:36 UTC
released
Comment 21 Swamp Workflow Management 2020-02-24 23:12:45 UTC
SUSE-SU-2020:0443-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1158709,1158798,1159692
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15 (src):    pdsh-2.33-7.6.1, slurm_18_08-18.08.9-1.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-09-11 10:36:23 UTC
SUSE-SU-2020:2607-1: An update that solves 9 vulnerabilities, contains four features and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1007053,1018371,1031872,1041706,1065697,1084125,1084917,1085240,1085606,1086859,1088693,1090292,1095508,1100850,1103561,1108671,1109373,1116758,1123304,1140709,1153095,1153259,1155784,1158696,1159692,1161716,1162377,1164326,1164386,1172004,1173805
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693
JIRA References: SLE-10800,SLE-7341,SLE-7342,SLE-8491
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh_slurm_18_08-2.34-7.26.2, pdsh_slurm_20_02-2.34-7.26.2, slurm_20_02-20.02.3-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2021-03-12 17:17:44 UTC
SUSE-SU-2021:0773-1: An update that fixes 11 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1159692,1172004,1178890,1178891
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693,CVE-2020-27745,CVE-2020-27746
JIRA References: ECO-2412
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh-2.34-7.32.1, pdsh_slurm_18_08-2.34-7.32.1, pdsh_slurm_20_02-2.34-7.32.1, pdsh_slurm_20_11-2.34-7.32.1, slurm_20_11-20.11.4-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.