Slurm versions 22.05.11, 23.02.7, and 23.11.1 are now available (CVE-2023-49933 through CVE-2023-49938)
Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They’ve been assigned CVE-2023-49933 through CVE-2023-49938.
SchedMD customers were informed on November 29th and provided a patch on request. This process is documented in our security policy.
There are no mitigations available for these issues, the only option is to patch and restart the affected daemons.
Five issues were reported by Ryan Hall (Meta Red Team X):
- Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.)
CVE-2023-49935
Permits an attacker to reuse root-level authentication tokens when interacting with the slurmd process, bypassing the RPC message hashes which protect against malicious MUNGE credential reuse. - Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.)
CVE-2023-49938
Permits an attacker to modified their extended group list used with the sbcast subsystem, and open files with an incorrect set of extended groups. - Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.)
CVE-2023-49936
Denial of service. - Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.)
CVE-2023-49937
Denial of service, potential for arbitrary code execution. - Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.)
CVE-2023-49933
Allows for malicious modification of RPC traffic that bypasses the message hash checks.
A sixth issue was discovered internally by SchedMD:
- SQL Injection. (Slurm 23.11.) CVE-2023-49934
Arbitrary SQL injection against SlurmDBD’s SQL database.
SchedMD only issues security fixes for the supported releases (currently 23.11, 23.02 and 22.05). Due to the complexity of these fixes, we do not recommend attempting to back-port the fixes to older releases, and strongly encourage sites to upgrade to fixed versions immediately.
Downloads are available here.