Bug 1199278 – VUL-0: CVE-2022-29500: slurm_20_02,slurm_18_08,slurm_20_11,slurm,slurmlibs: architectural flaw can be exploited to allow an unprivileged user to execute arbitrary processes as root

Bug 1199278 - (CVE-2022-29500) VUL-0: CVE-2022-29500: slurm_20_02,slurm_18_08,slurm_20_11,slurm,slurmlibs: architectural flaw can be exploited to allow an unprivileged user to execute arbitrary processes as root

(CVE-2022-29500)
Summary:	VUL-0: CVE-2022-29500: slurm_20_02,slurm_18_08,slurm_20_11,slurm,slurmlibs: a...

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P1 - Urgent Severity: Critical
Target Milestone:	---
Assigned To:	HPC Issue Tracker
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/330835/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-29500:8.8:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-05-06 12:08 UTC by Hu
Modified:	2022-11-04 15:10 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hu 2022-05-06 12:08:02 UTC

rh#2082284

An architectural flaw with how credentials are handled can be exploited 
to allow an unprivileged user to impersonate the SlurmUser account. 
Access to the SlurmUser account can be used to execute arbitrary 
processes as root.

This issue impacts all Slurm releases since at least Slurm 1.0.0.

Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd 
processes have been restarted in the cluster.

Once all daemons have been upgraded sites are encouraged to add 
"block_null_hash" to CommunicationParameters. That new option provides 
additional protection against a potential exploit.

https://lists.schedmd.com/pipermail/slurm-announce/2022/000072.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2082284
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29500
https://www.schedmd.com/news.php?id=260
https://lists.schedmd.com/pipermail/slurm-announce/
https://www.schedmd.com/news.php

Comment 1 Hu 2022-05-06 12:10:29 UTC

Affected:
- SUSE:SLE-12-SP2:GA:Products:Update/slurmlibs          16.05.8.1
- SUSE:SLE-12-SP2:GA:Products:Update/slurm              17.02.11
- SUSE:SLE-15:Update/slurm                              17.11.13
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_18_08        18.08.9
- SUSE:SLE-15-SP1:Update/slurm                          18.08.9
- SUSE:SLE-15:Update/slurm_18_08                        18.08.9
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_02        20.02.7
- SUSE:SLE-15-SP1:Update/slurm_20_02                    20.02.7
- SUSE:SLE-15-SP2:Update/slurm                          20.02.7
- openSUSE:Backports:SLE-15-SP3/slurm                   20.11.5
- SUSE:SLE-12-SP2:GA:Products:Update/slurm_20_11        20.11.7
- SUSE:SLE-15-SP2:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP1:Update/slurm_20_11                    20.11.7
- SUSE:SLE-15-SP3:Update/slurm                          20.11.7
- openSUSE:Factory/slurm                                21.08.7

Comment 5 OBSbugzilla Bot 2022-05-11 12:40:04 UTC

This is an autogenerated message for OBS integration:
This bug (1199278) was mentioned in
https://build.opensuse.org/request/show/976280 Factory / slurm

Comment 6 Swamp Workflow Management 2022-05-16 13:39:17 UTC

SUSE-SU-2022:1666-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.11.9-150300.4.6.1
openSUSE Leap 15.3 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP4 (src):    slurm-20.11.9-150300.4.6.1
SUSE Linux Enterprise Module for HPC 15-SP3 (src):    slurm-20.11.9-150300.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2022-05-18 19:24:01 UTC

SUSE-SU-2022:1726-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_11-20.11.9-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-05-23 16:19:49 UTC

SUSE-SU-2022:1815-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_11-20.11.9-150100.3.14.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_11-20.11.9-150100.3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-05-24 13:16:25 UTC

SUSE-SU-2022:1831-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279
CVE References: CVE-2022-29500,CVE-2022-29501
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_11-20.11.9-150200.6.10.1
openSUSE Leap 15.3 (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm_20_11-20.11.9-150200.6.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm_20_11-20.11.9-150200.6.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Egbert Eich 2022-07-22 10:19:51 UTC

Gabriele, we have been working on these backports - they are hefty and require thorough testing.
Presently, we are blocked by the server room outages where the machines live we need for testing.

Comment 16 Egbert Eich 2022-09-24 09:46:29 UTC

Updates for Slurm 17.11 (SUSE:SLE-15:Update) and 17.02 (SUSE:SLE-12-SP2:GA:Products:Update) have just been pushed:
17.11 - SR#280673
17.02 - SR#280683
This concludes the series of updates.
We will not publish an update for libslurm 16.05 as this doesn't really make sense:
libslurm doesn't provide a library API only, it also provides a wire protocol. The latter has only limited backward compatibility and thus applications built against libslurm for Slurm 16.05 may not work. We have succeeded Slurm 16.05 by 17.02, thus anyone installing Slurm on SLE-12 service packs (or update it) will get 17.02.

We do not ship any package linking against libslurm from Slurm 16.08.
It should be release noted that users who use self-built software linking against this version (libslurm29) should rebuild their software.

Comment 18 Swamp Workflow Management 2022-09-28 16:20:27 UTC

SUSE-SU-2022:3454-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_18_08-18.08.9-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Swamp Workflow Management 2022-09-29 13:21:19 UTC

SUSE-SU-2022:3468-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-18.08.9-150100.3.22.1
openSUSE Leap 15.3 (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm-18.08.9-150100.3.22.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm-18.08.9-150100.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 20 Swamp Workflow Management 2022-09-29 13:24:46 UTC

SUSE-SU-2022:3462-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_18_08-18.08.9-150000.1.17.1
openSUSE Leap 15.3 (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm_18_08-18.08.9-150000.1.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm_18_08-18.08.9-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2022-09-30 13:21:19 UTC

SUSE-SU-2022:3477-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm_20_02-20.02.7-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 22 Swamp Workflow Management 2022-10-03 10:19:01 UTC

SUSE-SU-2022:3490-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-20.02.7-150200.3.14.2
openSUSE Leap 15.3 (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    slurm-20.02.7-150200.3.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    slurm-20.02.7-150200.3.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 23 Swamp Workflow Management 2022-10-03 16:22:03 UTC

SUSE-SU-2022:3491-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1186646,1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm_20_02-20.02.7-150100.3.24.1
openSUSE Leap 15.3 (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    slurm_20_02-20.02.7-150100.3.24.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    slurm_20_02-20.02.7-150100.3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 24 Swamp Workflow Management 2022-10-04 13:27:07 UTC

SUSE-SU-2022:3497-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    slurm-17.02.11-6.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 25 Swamp Workflow Management 2022-10-06 13:30:37 UTC

SUSE-SU-2022:3535-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1199278,1199279,1201674
CVE References: CVE-2022-29500,CVE-2022-29501,CVE-2022-31251
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    slurm-17.11.13-150000.6.40.1
openSUSE Leap 15.3 (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    slurm-17.11.13-150000.6.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    slurm-17.11.13-150000.6.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.