Bug 1155784 (CVE-2019-19727) - VUL-0: CVE-2019-19727: slurm: slurmdbd: slurmdbd.conf has an insecure Permission by default
Summary: VUL-0: CVE-2019-19727: slurm: slurmdbd: slurmdbd.conf has an insecure Permiss...
Status: RESOLVED FIXED
Alias: CVE-2019-19727
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All SLES 15
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Egbert Eich
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/246283/
Whiteboard: CVSSv3:SUSE:CVE-2019-19727:4.0:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-04 11:28 UTC by Egbert Eich
Modified: 2023-09-11 12:11 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Egbert Eich 2019-11-04 11:28:23 UTC
slurmdbd.conf may hold teh database access password for the slurm user. Therefore it is recommended to not give other users read access to this file. It should have permission 0600 when installed.
Comment 1 Matthias Gerstner 2019-11-04 12:19:32 UTC
So this is about the subpackage slurm-slurmdbd. Basically it's a packaging
error then, right? If so then security team will need to assign a SUSE CNA CVE
for this issue.
Comment 2 Egbert Eich 2019-11-04 12:45:02 UTC
(In reply to Matthias Gerstner from comment #1)
> So this is about the subpackage slurm-slurmdbd. Basically it's a packaging
> error then, right? If so then security team will need to assign a SUSE CNA
> CVE
> for this issue.

This situation can be mitigated by improving the package, yes.
To mitigate the issue retrospectively on update, some code is required would be similar to bsc#1155075 on which I'm still waiting for an answer by the security team on my proposal to be sure I handle this correctly.
Comment 3 Johannes Segitz 2019-11-22 10:33:06 UTC
A similar issue is in the upstream spec file. The only install slurmdbd.conf.example, but it's also world readable. So it's not a SUSE only issue and we can't assign a CVE. I'll talk to upstream how they want to handle this
Comment 4 Egbert Eich 2019-12-06 19:38:18 UTC
The example file should not matter here. We install as well with the 'insecure' permissions. Of course I can change this if you think this is an issue.
Comment 16 Johannes Segitz 2019-12-13 07:48:38 UTC
This is CVE-2019-19727. Upstream confirmed 
CRD: 2019-12-20
Comment 17 Egbert Eich 2019-12-21 08:39:12 UTC
Announced on Dec, 20 2019:
https://www.schedmd.com/news.php
Comment 18 Marcus Meissner 2019-12-21 14:20:58 UTC
is public, see above url

Slurm versions 19.05.5 and 18.08.9 are now available (CVE-2019-19727 and CVE-2019-19728)

SchedMD News Release: Dec 20, 2019

Slurm versions 19.05.5 and 18.08.9 are now available, and include a series of recent bug fixes, as well as a fix for two moderate security vulnerabilities discussed below.

SchedMD customers were informed on December 11th and provided a patch on request; this process is documented in our security policy.

CVE-2019-19727:
Johannes Segitz from SUSE reported that slurmdbd.conf may be installed with insecure permissions by certain Slurm packaging systems.

Slurm itself — as shipped by SchedMD — does not manage slurmdbd.conf directly, but the slurmdbd.conf.example sets a poor example by installing itself with 0644 permissions instead of 0600 in both the slurm.spec and slurm.spec-legacy packaging scripts.

Sites are encourage to verify that the slurmdbd.conf file - which usually will contain your MySQL user and password - is secure on their clusters. Note that this configuration file is only needed by the slurmdbd primary (and optional backup) servers, and does not need to be accessible throughout the cluster.

CVE-2019-19728:
Harald Barth from the KTH Royal Institute of Technology reported that "srun --uid" may not always drop into the correct user account, and instead will print a warning message but launch the tasks as root.

Note that "srun --uid" is only available to the root user, and that this issue is only shown by a race condition between successive lookup calls within the srun client command. SchedMD does not recommend use of the "srun --uid" option (e.g., it does not load the target user's environment but will export the root users) and may remove this option in a future release.

Downloads are available here.
Comment 19 Swamp Workflow Management 2019-12-23 20:15:50 UTC
SUSE-SU-2019:3385-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1123304,1153259,1155784,1158696
CVE References: CVE-2019-6438
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.11-6.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Egbert Eich 2020-01-02 09:58:02 UTC
Backport has been released for SLE-12 (HPC Module) as well.
Comment 22 Swamp Workflow Management 2020-01-08 20:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (1155784) was mentioned in
https://build.opensuse.org/request/show/761961 Factory / slurm
Comment 24 Swamp Workflow Management 2020-01-16 14:23:31 UTC
SUSE-SU-2020:0110-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1140709,1153095,1153259,1155784,1158696,1159692
CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    slurm-18.08.9-3.10.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    slurm-18.08.9-3.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2020-01-21 14:15:23 UTC
openSUSE-SU-2020:0085-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1140709,1153095,1153259,1155784,1158696,1159692
CVE References: CVE-2019-12838,CVE-2019-19727,CVE-2019-19728
Sources used:
openSUSE Leap 15.1 (src):    slurm-18.08.9-lp151.2.6.1
Comment 26 Swamp Workflow Management 2020-01-24 14:13:49 UTC
SUSE-SU-2020:0228-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1153259,1155784,1158696
CVE References: CVE-2019-19727
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    slurm-17.11.13-6.23.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    slurm-17.11.13-6.23.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    slurm-17.11.13-6.23.1
SUSE Linux Enterprise Module for HPC 15 (src):    slurm-17.11.13-6.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2020-02-24 23:13:15 UTC
SUSE-SU-2020:0443-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1158709,1158798,1159692
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    pdsh-2.33-7.6.1
SUSE Linux Enterprise Module for HPC 15 (src):    pdsh-2.33-7.6.1, slurm_18_08-18.08.9-1.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2020-09-11 10:37:57 UTC
SUSE-SU-2020:2607-1: An update that solves 9 vulnerabilities, contains four features and has 22 fixes is now available.

Category: security (moderate)
Bug References: 1007053,1018371,1031872,1041706,1065697,1084125,1084917,1085240,1085606,1086859,1088693,1090292,1095508,1100850,1103561,1108671,1109373,1116758,1123304,1140709,1153095,1153259,1155784,1158696,1159692,1161716,1162377,1164326,1164386,1172004,1173805
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693
JIRA References: SLE-10800,SLE-7341,SLE-7342,SLE-8491
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh_slurm_18_08-2.34-7.26.2, pdsh_slurm_20_02-2.34-7.26.2, slurm_20_02-20.02.3-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Swamp Workflow Management 2020-12-18 20:18:17 UTC
SUSE-SU-2020:3878-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1153259,1155784,1178890,1178891
CVE References: CVE-2020-27745,CVE-2020-27746
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 15-SP1 (src):    slurm-17.11.13-6.34.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm-17.11.13-6.34.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm-17.11.13-6.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Swamp Workflow Management 2021-03-12 17:18:11 UTC
SUSE-SU-2021:0773-1: An update that fixes 11 vulnerabilities, contains one feature is now available.

Category: security (important)
Bug References: 1018371,1065697,1085240,1095508,1123304,1140709,1155784,1159692,1172004,1178890,1178891
CVE References: CVE-2016-10030,CVE-2017-15566,CVE-2018-10995,CVE-2018-7033,CVE-2019-12838,CVE-2019-19727,CVE-2019-19728,CVE-2019-6438,CVE-2020-12693,CVE-2020-27745,CVE-2020-27746
JIRA References: ECO-2412
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    pdsh-2.34-7.32.1, pdsh_slurm_18_08-2.34-7.32.1, pdsh_slurm_20_02-2.34-7.32.1, pdsh_slurm_20_11-2.34-7.32.1, slurm_20_11-20.11.4-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.