[slurm-announce] Slurm versions 21.08.8 and 20.11.9 are now available (CVE-2022-29500, 29501, 29502)

Tim Wickberg tim at schedmd.com
Wed May 4 19:50:59 UTC 2022

Slurm versions 21.08.8 and 20.11.9 are now available to address a 
critical security issue with Slurm's authentication handling.

SchedMD customers were informed on April 20th and provided a patch on 
request; this process is documented in our security policy [1].

For SchedMD customers: please note that there are additional changes 
included in these releases to address recently reported problems with 
PMIx, and to fix communication issues between patched and unpatched 
slurmd processes.



An architectural flaw with how credentials are handled can be exploited 
to allow an unprivileged user to impersonate the SlurmUser account. 
Access to the SlurmUser account can be used to execute arbitrary 
processes as root.

This issue impacts all Slurm releases since at least Slurm 1.0.0.

Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd 
processes have been restarted in the cluster.

Once all daemons have been upgraded sites are encouraged to add 
"block_null_hash" to CommunicationParameters. That new option provides 
additional protection against a potential exploit.


An issue was discovered with a network RPC handler in the slurmd daemon 
used for PMI2 and PMIx support. This vulnerability could allow an 
unprivileged user to send data to an arbitrary unix socket on the host 
as the root user.


An issue was found with the I/O key validation logic in the srun client 
command that could permit an attacker to attach to the user's terminal, 
and intercept process I/O. (Slurm 21.08 only.)


Due to the severity of the CVE-2022-29500 issue, SchedMD has removed all 
prior Slurm releases from our download site.

SchedMD only issues security fixes for the supported releases (currently 
21.08 and 20.11). Due to the complexity of these fixes, we do not 
recommend attempting to backport the fixes to older releases, and 
strongly encourage sites to upgrade to fixed versions immediately.

Downloads are available at https://www.schedmd.com/downloads.php .

Release notes follow below.

- Tim

[1] https://www.schedmd.com/security.php

Tim Wickberg
Chief Technology Officer, SchedMD LLC
Commercial Slurm Development and Support

> * Changes in Slurm 21.08.8
> ==========================
>  -- openapi/dbv0.0.37 - fix slurmrestd fatal() when deleting an association.
>  -- Allow scontrol update <job> Gres=... to not require "gres:".
>  -- Fix inconsistent reboot message appending behavior.
>  -- Fix incorrect reason_time and reason_uid on reboot message.
>  -- Fix "scontrol reboot" clearing node reason on ResumeTimeout.
>  -- Fix ResumeTimeout error message missing when node already has reason set.
>  -- Avoid "running with local config" error when conf server is provided by DNS.
>  -- openapi/v0.0.37 - resolve job user name when not sent by slurmctld.
>  -- openapi/dbv0.0.37 - Correct OpenAPI specification for diag request.
>  -- Ignore power_down request when node is already powering down.
>  -- CVE-2022-29500 - Prevent credential abuse.
>  -- CVE-2022-29501 - Prevent abuse of REQUEST_FORWARD_DATA.
>  -- CVE-2022-29502 - Correctly validate io keys.

> * Changes in Slurm 20.11.9
> ==========================
>  -- burst_buffer - add missing common directory to the Makefile SUBDIRS.
>  -- sacct - fix truncation when printing jobidraw field.
>  -- GRES - Fix loading state of jobs using --gpus to request gpus.
>  -- Fix minor logic error in health check node state output
>  -- Fix GCC 11.1 compiler warnings.
>  -- Delay steps when memory already used instead of rejecting step request.
>  -- Fix memory leak in the slurmdbd when requesting wckeys from all clusters.
>  -- Fix determining if a reservation is used or not.
>  -- openapi/v0.0.35 - Honor kill_on_invalid_dependency as job parameter.
>  -- openapi/v0.0.36 - Honor kill_on_invalid_dependency as job parameter.
>  -- Fix various issues dealing with updates on magnetic reservations that could
>     lead to abort slurmctld.
>  -- openapi/v0.0.36 - Avoid setting default values of min_cpus, job name, cwd,
>     mail_type, and contiguous on job update.
>  -- openapi/v0.0.36 - Clear user hold on job update if hold=false.
>  -- Fix slurmctld segfault due to a bit_test() call with a MAINT+ANY_NODES
>     reservation NULL node_bitmap.
>  -- Fix slurmctld segfault due to a bit_copy() call with a REPLACE+ANY_NODES
>     reservation NULL node_bitmap.
>  -- Fix error in GPU frequency validation logic.
>  -- Fix error in pmix logic dealing with the incorrect size of buffer.
>  -- PMIx v1.1.4 and below are no longer supported.
>  -- Fix shutdown of slurmdbd plugin to correctly notice when the agent thread
>     finishes.
>  -- Fix slurmctld segfault due to job array --batch features double free.
>  -- CVE-2022-29500 - Prevent credential abuse.
>  -- CVE-2022-29501 - Prevent abuse of REQUEST_FORWARD_DATA.

More information about the slurm-announce mailing list