Slurm versions 23.02.6 and 22.05.10 are now available (CVE-2023-41914)
Slurm versions 23.02.6 and 22.05.10 are now available to address a number of filesystem race conditions that could let an attacker take control of an arbitrary file, or remove entire directories’ contents (CVE-2023-41914).
SchedMD customers were informed on September 27th and provided a patch on request; this process is documented in our security policy.
CVE-2023-41914:
A number of race conditions have been identified within the slurmd/slurmstepd processes that can lead to the user taking ownership of an arbitrary file on the system. A related issue can lead to the user overwriting an arbitrary file on the compute node (although with data that is not directly under their control). A related issue can also lead to the user deleting all files and sub-directories of an arbitrary target directory on the compute node.
Thank you to François Diakhate (CEA) for reporting the original issue to us. A number of related issues were found during an extensive audit of Slurm’s filesystem handling code in reaction to that report, and are included here in this same disclosure.
SchedMD only issues security fixes for the supported releases (currently 23.02 and 22.05). Due to the complexity of these fixes, we do not recommend attempting to backport the fixes to older releases, and strongly encourage sites to upgrade to fixed versions immediately.
Downloads are available here.