Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Slurm Privilege Escalation Vulnerability (CVE-15566)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Slurm Privilege Escalation Vulnerability (CVE-15566)


Chronological Thread  
  • From: Warren Raquel <wraquel@illinois.edu>
  • To: <cv-announce@trustedci.org>
  • Subject: [cv-announce-l] Slurm Privilege Escalation Vulnerability (CVE-15566)
  • Date: Wed, 1 Nov 2017 17:26:54 -0500

CI Operators:

Slurm is a popular open-source HPC workload manager. Ryan Day (LLNL) reported
an issue that could allow any normal user to execute code as root during the
execution of the Prolog or Epilog. All systems using a Prolog or Epilog
script are vulnerable.

Affected Software:
All Slurm versions from 15.08.0 (August 2015) to present.


Mitigation:
The only mitigation presently is to disable both Prolog and Epilog settings
on your system and restart all slurmd processes.


Remediation:
Update to one of the following patched versions:
Slurm versions 16.05.11, 17.02.9 and 17.11.0rc2

Recommendation:
CTSC recommends patching as soon as possible and certainly within your next
maintenance cycle.

References:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15566
* https://www.schedmd.com/news.php?id=193#OPT_193

Acknowledgements:
We would like to thank the XSEDE Security Operations team of notifying us of
this issue.

How CTSC can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to each
cyberinfrastructure deployment. CTSC can not provide a one-size-fits-all
severity rating and response recommendation for all NSF cyberinfrastructure.
Please contact us (http://trustedci.org/help/) if you need assistance with
assessing the potential impact of this vulnerability in your environment
and/or you have additional information about this issue that should be shared
with the community.

Attachment: signature.asc
Description: OpenPGP digital signature



  • [cv-announce-l] Slurm Privilege Escalation Vulnerability (CVE-15566), Warren Raquel, 11/01/2017

Archive powered by MHonArc 2.6.24.

Top of Page