[slurm-users] CommunicationParameters=block_null_hash issue in 21.08.8
Ole Holm Nielsen
Ole.H.Nielsen at fysik.dtu.dk
Thu May 5 11:53:59 UTC 2022
Just a heads-up regarding setting CommunicationParameters=block_null_hash
in slurm.conf:
On 5/4/22 21:50, Tim Wickberg wrote:
> CVE-2022-29500:
>
> An architectural flaw with how credentials are handled can be exploited to
> allow an unprivileged user to impersonate the SlurmUser account. Access to
> the SlurmUser account can be used to execute arbitrary processes as root.
>
> This issue impacts all Slurm releases since at least Slurm 1.0.0.
>
> Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd
> processes have been restarted in the cluster.
>
> Once all daemons have been upgraded sites are encouraged to add
> "block_null_hash" to CommunicationParameters. That new option provides
> additional protection against a potential exploit.
The block_null_hash still needs to be documented in the slurm.conf
man-page. But in https://bugs.schedmd.com/show_bug.cgi?id=14002 I was
assured that it's OK to use it now.
I upgraded 21.08.7 to 21.08.8 using RPM packages while the cluster was
running production jobs. This is perhaps not recommended (see
https://slurm.schedmd.com/quickstart_admin.html#upgrade), but it worked
without a glitch also in this case.
However, when I defined CommunicationParameters=block_null_hash in
slurm.conf later today, I started getting RPC errors on the compute nodes
and in slurmctld when jobs were completing, see bug 14002.
I would recommend sites to hold up a bit with
CommunicationParameters=block_null_hash until we have found a resolution
in bug 14002. Draining all jobs from the cluster before setting this
parameter may be the safe approach(?).
/Ole
--
Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark
More information about the slurm-users
mailing list