SUSE update for slurm_20_02



Published: 2022-10-03
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-29500
CVE-2022-29501
CVE-2022-31251
CWE-ID CWE-284
CWE-276
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SUSE Linux Enterprise High Performance Computing
Operating systems & Components / Operating system

openSUSE Leap
Operating systems & Components / Operating system

libslurm35-debuginfo
Operating systems & Components / Operating system package or component

libslurm35
Operating systems & Components / Operating system package or component

slurm_20_02-webdoc
Operating systems & Components / Operating system package or component

slurm_20_02-torque-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-torque
Operating systems & Components / Operating system package or component

slurm_20_02-sview-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-sview
Operating systems & Components / Operating system package or component

slurm_20_02-sql-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-sql
Operating systems & Components / Operating system package or component

slurm_20_02-slurmdbd-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-slurmdbd
Operating systems & Components / Operating system package or component

slurm_20_02-sjstat
Operating systems & Components / Operating system package or component

slurm_20_02-seff
Operating systems & Components / Operating system package or component

slurm_20_02-rest-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-rest
Operating systems & Components / Operating system package or component

slurm_20_02-plugins-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-plugins
Operating systems & Components / Operating system package or component

slurm_20_02-pam_slurm-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-pam_slurm
Operating systems & Components / Operating system package or component

slurm_20_02-openlava
Operating systems & Components / Operating system package or component

slurm_20_02-node-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-node
Operating systems & Components / Operating system package or component

slurm_20_02-munge-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-munge
Operating systems & Components / Operating system package or component

slurm_20_02-lua-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-lua
Operating systems & Components / Operating system package or component

slurm_20_02-hdf5-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-hdf5
Operating systems & Components / Operating system package or component

slurm_20_02-doc
Operating systems & Components / Operating system package or component

slurm_20_02-devel
Operating systems & Components / Operating system package or component

slurm_20_02-debugsource
Operating systems & Components / Operating system package or component

slurm_20_02-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-cray-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-cray
Operating systems & Components / Operating system package or component

slurm_20_02-config-man
Operating systems & Components / Operating system package or component

slurm_20_02-config
Operating systems & Components / Operating system package or component

slurm_20_02-auth-none-debuginfo
Operating systems & Components / Operating system package or component

slurm_20_02-auth-none
Operating systems & Components / Operating system package or component

slurm_20_02
Operating systems & Components / Operating system package or component

perl-slurm_20_02-debuginfo
Operating systems & Components / Operating system package or component

perl-slurm_20_02
Operating systems & Components / Operating system package or component

libpmi0_20_02-debuginfo
Operating systems & Components / Operating system package or component

libpmi0_20_02
Operating systems & Components / Operating system package or component

libnss_slurm2_20_02-debuginfo
Operating systems & Components / Operating system package or component

libnss_slurm2_20_02
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU62865

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29500

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can obtain sensitive information credentials for the SlurmUser account.

Mitigation

Update the affected package slurm_20_02 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm35-debuginfo: before 20.02.7-150100.3.24.1

libslurm35: before 20.02.7-150100.3.24.1

slurm_20_02-webdoc: before 20.02.7-150100.3.24.1

slurm_20_02-torque-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-torque: before 20.02.7-150100.3.24.1

slurm_20_02-sview-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sview: before 20.02.7-150100.3.24.1

slurm_20_02-sql-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sql: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd: before 20.02.7-150100.3.24.1

slurm_20_02-sjstat: before 20.02.7-150100.3.24.1

slurm_20_02-seff: before 20.02.7-150100.3.24.1

slurm_20_02-rest-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-rest: before 20.02.7-150100.3.24.1

slurm_20_02-plugins-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-plugins: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm: before 20.02.7-150100.3.24.1

slurm_20_02-openlava: before 20.02.7-150100.3.24.1

slurm_20_02-node-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-node: before 20.02.7-150100.3.24.1

slurm_20_02-munge-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-munge: before 20.02.7-150100.3.24.1

slurm_20_02-lua-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-lua: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5: before 20.02.7-150100.3.24.1

slurm_20_02-doc: before 20.02.7-150100.3.24.1

slurm_20_02-devel: before 20.02.7-150100.3.24.1

slurm_20_02-debugsource: before 20.02.7-150100.3.24.1

slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray: before 20.02.7-150100.3.24.1

slurm_20_02-config-man: before 20.02.7-150100.3.24.1

slurm_20_02-config: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none: before 20.02.7-150100.3.24.1

slurm_20_02: before 20.02.7-150100.3.24.1

perl-slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

perl-slurm_20_02: before 20.02.7-150100.3.24.1

libpmi0_20_02-debuginfo: before 20.02.7-150100.3.24.1

libpmi0_20_02: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02-debuginfo: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02: before 20.02.7-150100.3.24.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223491-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU62864

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-29501

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Update the affected package slurm_20_02 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm35-debuginfo: before 20.02.7-150100.3.24.1

libslurm35: before 20.02.7-150100.3.24.1

slurm_20_02-webdoc: before 20.02.7-150100.3.24.1

slurm_20_02-torque-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-torque: before 20.02.7-150100.3.24.1

slurm_20_02-sview-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sview: before 20.02.7-150100.3.24.1

slurm_20_02-sql-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sql: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd: before 20.02.7-150100.3.24.1

slurm_20_02-sjstat: before 20.02.7-150100.3.24.1

slurm_20_02-seff: before 20.02.7-150100.3.24.1

slurm_20_02-rest-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-rest: before 20.02.7-150100.3.24.1

slurm_20_02-plugins-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-plugins: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm: before 20.02.7-150100.3.24.1

slurm_20_02-openlava: before 20.02.7-150100.3.24.1

slurm_20_02-node-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-node: before 20.02.7-150100.3.24.1

slurm_20_02-munge-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-munge: before 20.02.7-150100.3.24.1

slurm_20_02-lua-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-lua: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5: before 20.02.7-150100.3.24.1

slurm_20_02-doc: before 20.02.7-150100.3.24.1

slurm_20_02-devel: before 20.02.7-150100.3.24.1

slurm_20_02-debugsource: before 20.02.7-150100.3.24.1

slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray: before 20.02.7-150100.3.24.1

slurm_20_02-config-man: before 20.02.7-150100.3.24.1

slurm_20_02-config: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none: before 20.02.7-150100.3.24.1

slurm_20_02: before 20.02.7-150100.3.24.1

perl-slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

perl-slurm_20_02: before 20.02.7-150100.3.24.1

libpmi0_20_02-debuginfo: before 20.02.7-150100.3.24.1

libpmi0_20_02: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02-debuginfo: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02: before 20.02.7-150100.3.24.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223491-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Incorrect default permissions

EUVDB-ID: #VU67719

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-31251

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in slurm testsuite. A local user with access to the system can execute arbitrary code with root privileges.

Mitigation

Update the affected package slurm_20_02 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise High Performance Computing: 15-SP1-ESPOS - 15-SP1-LTSS

openSUSE Leap: 15.3 - 15.4

libslurm35-debuginfo: before 20.02.7-150100.3.24.1

libslurm35: before 20.02.7-150100.3.24.1

slurm_20_02-webdoc: before 20.02.7-150100.3.24.1

slurm_20_02-torque-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-torque: before 20.02.7-150100.3.24.1

slurm_20_02-sview-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sview: before 20.02.7-150100.3.24.1

slurm_20_02-sql-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-sql: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-slurmdbd: before 20.02.7-150100.3.24.1

slurm_20_02-sjstat: before 20.02.7-150100.3.24.1

slurm_20_02-seff: before 20.02.7-150100.3.24.1

slurm_20_02-rest-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-rest: before 20.02.7-150100.3.24.1

slurm_20_02-plugins-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-plugins: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-pam_slurm: before 20.02.7-150100.3.24.1

slurm_20_02-openlava: before 20.02.7-150100.3.24.1

slurm_20_02-node-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-node: before 20.02.7-150100.3.24.1

slurm_20_02-munge-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-munge: before 20.02.7-150100.3.24.1

slurm_20_02-lua-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-lua: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-hdf5: before 20.02.7-150100.3.24.1

slurm_20_02-doc: before 20.02.7-150100.3.24.1

slurm_20_02-devel: before 20.02.7-150100.3.24.1

slurm_20_02-debugsource: before 20.02.7-150100.3.24.1

slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-cray: before 20.02.7-150100.3.24.1

slurm_20_02-config-man: before 20.02.7-150100.3.24.1

slurm_20_02-config: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none-debuginfo: before 20.02.7-150100.3.24.1

slurm_20_02-auth-none: before 20.02.7-150100.3.24.1

slurm_20_02: before 20.02.7-150100.3.24.1

perl-slurm_20_02-debuginfo: before 20.02.7-150100.3.24.1

perl-slurm_20_02: before 20.02.7-150100.3.24.1

libpmi0_20_02-debuginfo: before 20.02.7-150100.3.24.1

libpmi0_20_02: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02-debuginfo: before 20.02.7-150100.3.24.1

libnss_slurm2_20_02: before 20.02.7-150100.3.24.1

External links

http://www.suse.com/support/update/announcement/2022/suse-su-20223491-1/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###