Bug 1199279 – VUL-0: CVE-2022-29501: slurm_20_02,slurmlibs,slurm_20_11,slurm,slurm_18_08: Unprivileged user can send data to arbitrary unix socket as root

Bug 1199279 - (CVE-2022-29501) VUL-0: CVE-2022-29501: slurm_20_02,slurmlibs,slurm_20_11,slurm,slurm_18_08: Unprivileged user can send data to arbitrary unix socket as root

(CVE-2022-29501)
Summary:	VUL-0: CVE-2022-29501: slurm_20_02,slurmlibs,slurm_20_11,slurm,slurm_18_08: U...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	HPC Issue Tracker
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/330836/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-29501:8.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-05-06 12:23 UTC by Hu
Modified:	2023-03-02 17:05 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hu 2022-05-06 12:23:53 UTC

rh#2082287

An issue was discovered with a network RPC handler in the slurmd daemon 
used for PMI2 and PMIx support. This vulnerability could allow an 
unprivileged user to send data to an arbitrary unix socket on the host 
as the root user.

https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2082287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29501
https://www.schedmd.com/news.php?id=260
https://lists.schedmd.com/pipermail/slurm-announce/
https://www.schedmd.com/news.php

Comment 1 Hu 2022-05-06 12:26:51 UTC

Affected:
- SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs          16.05.8.1
- SUSE:SLE-12-SP2:GA:Products:Update/slurm              17.02.11
- SUSE:SLE-15:Update/slurm                              17.11.13
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08        18.08.9
- SUSE:SLE-15-SP1:Update/slurm                          18.08.9
- SUSE:SLE-15:Update/slurm_18_08                        18.08.9
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02        20.02.7
- SUSE:SLE-15-SP1:Update/slurm_20_02                    20.02.7
- SUSE:SLE-15-SP2:Update/slurm                          20.02.7
- openSUSE:Backports:SLE-15-SP3/slurm                   20.11.5
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11        20.11.7
- SUSE:SLE-15-SP2:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP1:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP3:Update/slurm                          20.11.7
- openSUSE:Factory/slurm                                21.08.7

Comment 5 OBSbugzilla Bot 2022-05-11 12:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1199279) was mentioned in
https://build.opensuse.org/request/show/976280 Factory / slurm

Comment 6 Swamp Workflow Management 2022-05-16 13:39:21 UTC

SUSE-SU-2022:1666-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.11.9-150300.4.6.1
openSUSE Leap 15.3 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP4 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    slurm-20.11.9-150300.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2022-05-18 19:24:06 UTC

SUSE-SU-2022:1726-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_11-20.11.9-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-05-23 16:19:54 UTC

SUSE-SU-2022:1815-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_11-20.11.9-150100.3.14.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_11-20.11.9-150100.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-05-24 13:16:30 UTC

SUSE-SU-2022:1831-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_11-20.11.9-150200.6.10.1
openSUSE Leap 15.3 (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm_20_11-20.11.9-150200.6.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Thomas Leroy 2022-08-12 07:31:44 UTC

Hi, we're still missing submissions for the following codestreams:
> Affected:
> - SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs          16.05.8.1
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm              17.02.11
> - SUSE:SLE-15:Update/slurm                              17.11.13
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08        18.08.9
> - SUSE:SLE-15-SP1:Update/slurm                          18.08.9
> - SUSE:SLE-15:Update/slurm_18_08                        18.08.9
> - SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02        20.02.7
> - SUSE:SLE-15-SP1:Update/slurm_20_02                    20.02.7
> - SUSE:SLE-15-SP2:Update/slurm                          20.02.7

Comment 11 Egbert Eich 2022-08-12 07:55:50 UTC

The fix has been back-ported, however, still requires testing. This testing is stalled at the moment as all of our infrastructure is down due to heat problems.

The changes were extensive, not localized and touched large parts of the code, thus, breakages in the back-ports are to be expected. 

Therefore we are not comfortable to ship any updates untested. However, without appropriate test hardware we are unable to proceed.

Please advise!

Comment 12 Thomas Leroy 2022-08-12 08:35:57 UTC

(In reply to Egbert Eich from comment #11)
> The fix has been back-ported, however, still requires testing. This testing
> is stalled at the moment as all of our infrastructure is down due to heat
> problems.
> 
> The changes were extensive, not localized and touched large parts of the
> code, thus, breakages in the back-ports are to be expected. 
> 
> Therefore we are not comfortable to ship any updates untested. However,
> without appropriate test hardware we are unable to proceed.
> 
> Please advise!

If you think you can rigorously test the backports once the infra is working, we can go with it, otherwise we can proceed with a version update, approved by an ECO.
But if you think properly testing will take too much time/complexity, the version update could be the easiest solution.
Technically speaking, could we update the affected codestreams to a version fixing this (and possibly other) CVE?

Comment 13 Egbert Eich 2022-08-12 11:47:50 UTC

We provide an upgrades - an upgrade is different from an update in that it will constitute a new code stream.
Slurm is nothing that you update simply by typing 'zypper patch' - it is a client server infrastructure with at least one server and a multitude of clients. There are strict version dependencies between the components, so to upgrade you will have to follow a strict order when updating individual components.
A version upgrade may provide a fix for the CVEs, however, this comes at a cost: you need to follow a specific routine to migrate and you may lose features that have been deprecated in the new version.
Therefore, it has been our goal to keep the old versions alive.
I believe we have updated the 20.11 code stream across all SPs already, thus the solution you propose exists already.

Comment 14 Thomas Leroy 2022-08-12 14:15:28 UTC

(In reply to Egbert Eich from comment #13)
> We provide an upgrades - an upgrade is different from an update in that it
> will constitute a new code stream.
> Slurm is nothing that you update simply by typing 'zypper patch' - it is a
> client server infrastructure with at least one server and a multitude of
> clients. There are strict version dependencies between the components, so to
> upgrade you will have to follow a strict order when updating individual
> components.
> A version upgrade may provide a fix for the CVEs, however, this comes at a
> cost: you need to follow a specific routine to migrate and you may lose
> features that have been deprecated in the new version.
> Therefore, it has been our goal to keep the old versions alive.
> I believe we have updated the 20.11 code stream across all SPs already, thus
> the solution you propose exists already.

Thanks for the clarification Egbert. I can see that slurm_20_11 has been fixed in every codestream (from 12-SP2 to 15-SP2), so creating a new slurm package with the last version shipped in the same codestream would pretty useless, right?
And since we can't do version upgrade for the older packages (like slurm_18_08), I guess we have no other choice than backporting. In this case, I think we have to  wait for the test infra to be ready...

Comment 15 Egbert Eich 2022-08-12 14:58:00 UTC

Well, if the user wanted to have the security update now, she could upgrade. This is what we would recommend if the backport was impossible. However, since I've done the backport already, it doesn't seem to be impossible - unless testing turns up something that I hadn't thought of.
We already found one issue in our testing - which I then fixed. There may be more.

Version upgrades from really old versions would be a bit more complicated as the database can only be migrated from two versions back. The user would have to do a multi step upgrade - at least for the database.

Comment 21 Egbert Eich 2022-09-24 09:46:33 UTC

Updates for Slurm 17.11 (SUSE:SLE-15:Update) and 17.02 (SUSE:SLE-12-SP2:GA:Products:Update) have just been pushed:
17.11 - SR#280673
17.02 - SR#280683
This concludes the series of updates.
We will not publish an update for libslurm 16.05 as this doesn't really make sense:
libslurm doesn't provide a library API only, it also provides a wire protocol. The latter has only limited backward compatibility and thus applications built against libslurm for Slurm 16.05 may not work. We have succeeded Slurm 16.05 by 17.02, thus anyone installing Slurm on SLE-12 service packs (or update it) will get 17.02.

We do not ship any package linking against libslurm from Slurm 16.08.
It should be release noted that users who use self-built software linking against this version (libslurm29) should rebuild their software.

Comment 23 Swamp Workflow Management 2022-09-28 16:20:32 UTC

SUSE-SU-2022:3454-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_18_08-18.08.9-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2022-09-29 13:21:24 UTC

SUSE-SU-2022:3468-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-18.08.9-150100.3.22.1
openSUSE Leap 15.3 (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm-18.08.9-150100.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-09-29 13:24:50 UTC

SUSE-SU-2022:3462-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_18_08-18.08.9-150000.1.17.1
openSUSE Leap 15.3 (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm_18_08-18.08.9-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 26 Swamp Workflow Management 2022-09-30 13:21:24 UTC

SUSE-SU-2022:3477-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_02-20.02.7-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 27 Swamp Workflow Management 2022-10-03 10:19:05 UTC

SUSE-SU-2022:3490-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.02.7-150200.3.14.2
openSUSE Leap 15.3 (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm-20.02.7-150200.3.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 Swamp Workflow Management 2022-10-03 16:22:08 UTC

SUSE-SU-2022:3491-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_02-20.02.7-150100.3.24.1
openSUSE Leap 15.3 (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_02-20.02.7-150100.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 29 Swamp Workflow Management 2022-10-04 13:27:12 UTC

SUSE-SU-2022:3497-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.11-6.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 30 Swamp Workflow Management 2022-10-06 13:30:43 UTC

SUSE-SU-2022:3535-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-17.11.13-150000.6.40.1
openSUSE Leap 15.3 (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm-17.11.13-150000.6.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.