OSG-SEC-2021-05-18 Vulnerability in SLURM CVE-2021-31215

Dear OSG Security Contacts,

A vulnerability (CVE-2021-31215 [1]) was reported in Slurm that can allow any user to run arbitrary commands as SlurmUser if the installation uses a PrologSlurmctld and/or EpilogSlurmctld script.

The OSG Security Team considers this vulnerability to be of HIGH severity.

IMPACTED VERSIONS:

Versions before 20.02.7 Versions 20.03.x through 20.11.x before 20.11.7

WHAT ARE THE VULNERABILITIES:

According to the advisory [2] an issue with the handling of user-set environment variables in the PrologSlurmctld and EpilogSlurmctld scripts could allow any user to run arbitrary commands as the SlurmUser.

WHAT YOU SHOULD DO:

Sites running Slurm are recommended to update to 20.02.07 or 20.11.7 (or later) [3] as soon as possible.

Note that if PrologSlurmctld and/or EpilogSlurmctld scripts are not in use there is no indication that this vulnerability is exploitable.

REFERENCES

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-31215

[2] https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html

[3] https://www.schedmd.com/downloads.php

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team