SUSE update for slurm_18_08



Published: 2022-09-30
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-29500
CVE-2022-29501
CVE-2022-31251
CWE-ID CWE-284
CWE-276
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

libslurm33-debuginfo
Operating systems & Components / Operating system package or component

libslurm33
Operating systems & Components / Operating system package or component

slurm_18_08-webdoc
Operating systems & Components / Operating system package or component

slurm_18_08-torque-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-torque
Operating systems & Components / Operating system package or component

slurm_18_08-sview-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-sview
Operating systems & Components / Operating system package or component

slurm_18_08-sql-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-sql
Operating systems & Components / Operating system package or component

slurm_18_08-slurmdbd-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-slurmdbd
Operating systems & Components / Operating system package or component

slurm_18_08-sjstat
Operating systems & Components / Operating system package or component

slurm_18_08-seff
Operating systems & Components / Operating system package or component

slurm_18_08-plugins-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-plugins
Operating systems & Components / Operating system package or component

slurm_18_08-pam_slurm-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-pam_slurm
Operating systems & Components / Operating system package or component

slurm_18_08-openlava
Operating systems & Components / Operating system package or component

slurm_18_08-node-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-node
Operating systems & Components / Operating system package or component

slurm_18_08-munge-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-munge
Operating systems & Components / Operating system package or component

slurm_18_08-lua-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-lua
Operating systems & Components / Operating system package or component

slurm_18_08-hdf5-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-hdf5
Operating systems & Components / Operating system package or component

slurm_18_08-doc
Operating systems & Components / Operating system package or component

slurm_18_08-devel
Operating systems & Components / Operating system package or component

slurm_18_08-debugsource
Operating systems & Components / Operating system package or component

slurm_18_08-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-cray-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-cray
Operating systems & Components / Operating system package or component

slurm_18_08-config-man
Operating systems & Components / Operating system package or component

slurm_18_08-config
Operating systems & Components / Operating system package or component

slurm_18_08-auth-none-debuginfo
Operating systems & Components / Operating system package or component

slurm_18_08-auth-none
Operating systems & Components / Operating system package or component

slurm_18_08
Operating systems & Components / Operating system package or component

perl-slurm_18_08-debuginfo
Operating systems & Components / Operating system package or component

perl-slurm_18_08
Operating systems & Components / Operating system package or component

libpmi0_18_08-debuginfo
Operating systems & Components / Operating system package or component

libpmi0_18_08
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU62865

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29500

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can obtain sensitive information credentials for the SlurmUser account.

Mitigation

Update the affected package slurm_18_08 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm33-debuginfo: before 18.08.9-150000.1.17.1

libslurm33: before 18.08.9-150000.1.17.1

slurm_18_08-webdoc: before 18.08.9-150000.1.17.1

slurm_18_08-torque-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-torque: before 18.08.9-150000.1.17.1

slurm_18_08-sview-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sview: before 18.08.9-150000.1.17.1

slurm_18_08-sql-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sql: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd: before 18.08.9-150000.1.17.1

slurm_18_08-sjstat: before 18.08.9-150000.1.17.1

slurm_18_08-seff: before 18.08.9-150000.1.17.1

slurm_18_08-plugins-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-plugins: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm: before 18.08.9-150000.1.17.1

slurm_18_08-openlava: before 18.08.9-150000.1.17.1

slurm_18_08-node-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-node: before 18.08.9-150000.1.17.1

slurm_18_08-munge-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-munge: before 18.08.9-150000.1.17.1

slurm_18_08-lua-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-lua: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5: before 18.08.9-150000.1.17.1

slurm_18_08-doc: before 18.08.9-150000.1.17.1

slurm_18_08-devel: before 18.08.9-150000.1.17.1

slurm_18_08-debugsource: before 18.08.9-150000.1.17.1

slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray: before 18.08.9-150000.1.17.1

slurm_18_08-config-man: before 18.08.9-150000.1.17.1

slurm_18_08-config: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none: before 18.08.9-150000.1.17.1

slurm_18_08: before 18.08.9-150000.1.17.1

perl-slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

perl-slurm_18_08: before 18.08.9-150000.1.17.1

libpmi0_18_08-debuginfo: before 18.08.9-150000.1.17.1

libpmi0_18_08: before 18.08.9-150000.1.17.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223462-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU62864

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29501

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Update the affected package slurm_18_08 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm33-debuginfo: before 18.08.9-150000.1.17.1

libslurm33: before 18.08.9-150000.1.17.1

slurm_18_08-webdoc: before 18.08.9-150000.1.17.1

slurm_18_08-torque-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-torque: before 18.08.9-150000.1.17.1

slurm_18_08-sview-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sview: before 18.08.9-150000.1.17.1

slurm_18_08-sql-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sql: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd: before 18.08.9-150000.1.17.1

slurm_18_08-sjstat: before 18.08.9-150000.1.17.1

slurm_18_08-seff: before 18.08.9-150000.1.17.1

slurm_18_08-plugins-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-plugins: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm: before 18.08.9-150000.1.17.1

slurm_18_08-openlava: before 18.08.9-150000.1.17.1

slurm_18_08-node-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-node: before 18.08.9-150000.1.17.1

slurm_18_08-munge-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-munge: before 18.08.9-150000.1.17.1

slurm_18_08-lua-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-lua: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5: before 18.08.9-150000.1.17.1

slurm_18_08-doc: before 18.08.9-150000.1.17.1

slurm_18_08-devel: before 18.08.9-150000.1.17.1

slurm_18_08-debugsource: before 18.08.9-150000.1.17.1

slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray: before 18.08.9-150000.1.17.1

slurm_18_08-config-man: before 18.08.9-150000.1.17.1

slurm_18_08-config: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none: before 18.08.9-150000.1.17.1

slurm_18_08: before 18.08.9-150000.1.17.1

perl-slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

perl-slurm_18_08: before 18.08.9-150000.1.17.1

libpmi0_18_08-debuginfo: before 18.08.9-150000.1.17.1

libpmi0_18_08: before 18.08.9-150000.1.17.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223462-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Incorrect default permissions

EUVDB-ID: #VU67719

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31251

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in slurm testsuite. A local user with access to the system can execute arbitrary code with root privileges.

Mitigation

Update the affected package slurm_18_08 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-ESPOS - 15-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm33-debuginfo: before 18.08.9-150000.1.17.1

libslurm33: before 18.08.9-150000.1.17.1

slurm_18_08-webdoc: before 18.08.9-150000.1.17.1

slurm_18_08-torque-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-torque: before 18.08.9-150000.1.17.1

slurm_18_08-sview-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sview: before 18.08.9-150000.1.17.1

slurm_18_08-sql-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-sql: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-slurmdbd: before 18.08.9-150000.1.17.1

slurm_18_08-sjstat: before 18.08.9-150000.1.17.1

slurm_18_08-seff: before 18.08.9-150000.1.17.1

slurm_18_08-plugins-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-plugins: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-pam_slurm: before 18.08.9-150000.1.17.1

slurm_18_08-openlava: before 18.08.9-150000.1.17.1

slurm_18_08-node-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-node: before 18.08.9-150000.1.17.1

slurm_18_08-munge-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-munge: before 18.08.9-150000.1.17.1

slurm_18_08-lua-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-lua: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-hdf5: before 18.08.9-150000.1.17.1

slurm_18_08-doc: before 18.08.9-150000.1.17.1

slurm_18_08-devel: before 18.08.9-150000.1.17.1

slurm_18_08-debugsource: before 18.08.9-150000.1.17.1

slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-cray: before 18.08.9-150000.1.17.1

slurm_18_08-config-man: before 18.08.9-150000.1.17.1

slurm_18_08-config: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none-debuginfo: before 18.08.9-150000.1.17.1

slurm_18_08-auth-none: before 18.08.9-150000.1.17.1

slurm_18_08: before 18.08.9-150000.1.17.1

perl-slurm_18_08-debuginfo: before 18.08.9-150000.1.17.1

perl-slurm_18_08: before 18.08.9-150000.1.17.1

libpmi0_18_08-debuginfo: before 18.08.9-150000.1.17.1

libpmi0_18_08: before 18.08.9-150000.1.17.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223462-1/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###