OSG-SEC-2018-03-27 SLURM Vulnerability

Dear OSG Security Contacts,

A critical vulnerability was reported in Slurm which allows SQL injection attacks against the SlurmDBD component and it is described in CVE-2018-7033.

IMPACTED VERSIONS:

SLURM Versions 17.11.5 and 17.02.10 were released on March 15th 2018 with a fix for the mentioned vulnerability. All previous versions are considered to be vulnerable.

WHAT IS THE VULNERABILITY:

"Several issues were discovered with incomplete sanitization of user-provided text strings, which could potentially lead to SQL injection attacks against SlurmDBD itself. Such exploits could lead to a loss of accounting data, or escalation of user privileges on the cluster." [1]

WHAT YOU SHOULD DO:

Sites running SLURM are recommended to update to the most current versions as soon as possible if they have not done so already.
As stated in the security advisory by the software vendor: "The only safe mitigation, aside from installing these updated versions, is to disable SlurmDBD on your system." [1]

https://ticket.grid.iu.edu/36596

REFERENCES

[1] https://www.schedmd.com/news.php?id=201#OPT_201

Please contact the OSG security team [immediately] at [email protected] if you have any questions or concerns.

OSG Security Team

OSG-SEC-2018-03-27 SLURM Vulnerability

IMPACTED VERSIONS:

WHAT IS THE VULNERABILITY:

WHAT YOU SHOULD DO:

RELATED LINKS

REFERENCES