[slurm-users] CommunicationParameters=block_null_hash issue in 21.08.8

Ole Holm Nielsen Ole.H.Nielsen at fysik.dtu.dk
Thu May 5 11:53:59 UTC 2022

Just a heads-up regarding setting CommunicationParameters=block_null_hash 
in slurm.conf:

On 5/4/22 21:50, Tim Wickberg wrote:
> CVE-2022-29500:
> An architectural flaw with how credentials are handled can be exploited to 
> allow an unprivileged user to impersonate the SlurmUser account. Access to 
> the SlurmUser account can be used to execute arbitrary processes as root.
> This issue impacts all Slurm releases since at least Slurm 1.0.0.
> Systems remain vulnerable until all slurmdbd, slurmctld, and slurmd 
> processes have been restarted in the cluster.
> Once all daemons have been upgraded sites are encouraged to add 
> "block_null_hash" to CommunicationParameters. That new option provides 
> additional protection against a potential exploit.

The block_null_hash still needs to be documented in the slurm.conf 
man-page.  But in https://bugs.schedmd.com/show_bug.cgi?id=14002 I was 
assured that it's OK to use it now.

I upgraded 21.08.7 to 21.08.8 using RPM packages while the cluster was 
running production jobs.  This is perhaps not recommended (see 
https://slurm.schedmd.com/quickstart_admin.html#upgrade), but it worked 
without a glitch also in this case.

However, when I defined CommunicationParameters=block_null_hash in 
slurm.conf later today, I started getting RPC errors on the compute nodes 
and in slurmctld when jobs were completing, see bug 14002.

I would recommend sites to hold up a bit with 
CommunicationParameters=block_null_hash until we have found a resolution 
in bug 14002.  Draining all jobs from the cluster before setting this 
parameter may be the safe approach(?).


Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark

More information about the slurm-users mailing list