1218053 – (CVE-2023-49938) VUL-0: CVE-2023-49938: slurm,slurm_22_05,slurm_23_02: incorrect access control

Bug 1218053 (CVE-2023-49938) - VUL-0: CVE-2023-49938: slurm,slurm_22_05,slurm_23_02: incorrect access control

Summary: VUL-0: CVE-2023-49938: slurm,slurm_22_05,slurm_23_02: incorrect access control

Status:	RESOLVED FIXED

Alias:	CVE-2023-49938

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	HPC Issue Tracker
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/387991/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-49938:5.1:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-12-14 10:28 UTC by SMASH SMASH
Modified:	2024-02-05 05:26 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-12-14 10:28:42 UTC

An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-49938

Comment 1 Gabriele Sonnu 2023-12-14 10:29:45 UTC

Upstream advisory:

https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html

Based on this, tracking as affected:

- SUSE:SLE-12-SP2:GA:Products:Update/slurm_22_05
- SUSE:SLE-15-SP1:Update/slurm_22_05
- SUSE:SLE-15-SP2:Update/slurm_22_05
- SUSE:SLE-15-SP3:Update/slurm_22_05

- SUSE:SLE-12-SP2:GA:Products:Update/slurm_23_02
- SUSE:SLE-15-SP1:Update/slurm_23_02
- SUSE:SLE-15-SP2:Update/slurm_23_02
- SUSE:SLE-15-SP3:Update/slurm_23_02

- openSUSE:Factory/slurm
- SUSE:SLE-15-SP4:Update/slurm
- SUSE:SLE-15-SP5:Update/slurm

Comment 2 OBSbugzilla Bot 2024-01-05 13:35:08 UTC

This is an autogenerated message for OBS integration:
This bug (1218053) was mentioned in
https://build.opensuse.org/request/show/1137045 Factory / slurm

Comment 5 Maintenance Automation 2024-01-31 08:30:01 UTC

SUSE-SU-2024:0280-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218049, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm_23_02-23.02.7-150300.7.17.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): slurm_23_02-23.02.7-150300.7.17.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): slurm_23_02-23.02.7-150300.7.17.1
openSUSE Leap 15.3 (src): slurm_23_02-23.02.7-150300.7.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Maintenance Automation 2024-01-31 08:30:04 UTC

SUSE-SU-2024:0279-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
openSUSE Leap 15.3 (src): slurm-20.11.9-150300.4.12.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm-20.11.9-150300.4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Maintenance Automation 2024-01-31 08:30:07 UTC

SUSE-SU-2024:0278-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1216869, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
openSUSE Leap 15.5 (src): slurm_20_02-20.02.7-150100.3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2024-01-31 12:30:07 UTC

SUSE-SU-2024:0289-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218049, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_23_02-23.02.7-150200.5.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2024-01-31 12:30:10 UTC

SUSE-SU-2024:0288-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
openSUSE Leap 15.5 (src): slurm_20_11-20.11.9-150200.6.16.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_20_11-20.11.9-150200.6.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-01-31 12:30:13 UTC

SUSE-SU-2024:0287-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1216869, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm-20.02.7-150200.3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2024-01-31 12:30:15 UTC

SUSE-SU-2024:0286-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): slurm_22_05-22.05.11-150200.5.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-01-31 12:30:22 UTC

SUSE-SU-2024:0284-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218049, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 15-SP5 (src): slurm-23.02.7-150500.5.15.1
SUSE Package Hub 15 15-SP5 (src): slurm-23.02.7-150500.5.15.1
openSUSE Leap 15.5 (src): slurm-23.02.7-150500.5.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-01-31 12:30:26 UTC

SUSE-SU-2024:0283-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
openSUSE Leap 15.3 (src): slurm_22_05-22.05.11-150300.7.9.1
openSUSE Leap 15.5 (src): slurm_22_05-22.05.11-150300.7.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): slurm_22_05-22.05.11-150300.7.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): slurm_22_05-22.05.11-150300.7.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): slurm_22_05-22.05.11-150300.7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Maintenance Automation 2024-02-02 08:30:03 UTC

SUSE-SU-2024:0313-1: An update that solves five vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1216207, 1216869, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm_18_08-18.08.9-3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 15 Maintenance Automation 2024-02-02 08:30:06 UTC

SUSE-SU-2024:0312-1: An update that solves five vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218049, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49935, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm_23_02-23.02.7-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2024-02-02 08:30:10 UTC

SUSE-SU-2024:0311-1: An update that solves four vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm_22_05-22.05.11-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Maintenance Automation 2024-02-02 08:30:14 UTC

SUSE-SU-2024:0310-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1216869, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm_20_02-20.02.7-3.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2024-02-02 08:30:17 UTC

SUSE-SU-2024:0309-1: An update that solves five vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm_20_11-20.11.9-3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Maintenance Automation 2024-02-02 12:30:13 UTC

SUSE-SU-2024:0315-1: An update that solves four vulnerabilities can now be installed.

Category: security (important)
Bug References: 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
HPC Module 12 (src): slurm-17.02.11-6.59.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Maintenance Automation 2024-02-02 12:30:17 UTC

SUSE-SU-2024:0314-1: An update that solves five vulnerabilities and has three security fixes can now be installed.

Category: security (important)
Bug References: 1208810, 1216207, 1216869, 1217711, 1218046, 1218050, 1218051, 1218053
CVE References: CVE-2023-41914, CVE-2023-49933, CVE-2023-49936, CVE-2023-49937, CVE-2023-49938
Sources used:
openSUSE Leap 15.4 (src): slurm-20.11.9-150400.3.3.1
SUSE Package Hub 15 15-SP5 (src): slurm-20.11.9-150400.3.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): slurm-20.11.9-150400.3.3.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): slurm-20.11.9-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.