SUSE update for slurm_18_08
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-29500 CVE-2022-29501 CVE-2022-31251 |
| CWE-ID | CWE-284 CWE-276 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Module for HPC Operating systems & Components / Operating system slurm_18_08-torque-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-torque Operating systems & Components / Operating system package or component slurm_18_08-sql-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-sql Operating systems & Components / Operating system package or component slurm_18_08-slurmdbd-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-slurmdbd Operating systems & Components / Operating system package or component slurm_18_08-plugins-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-plugins Operating systems & Components / Operating system package or component slurm_18_08-pam_slurm-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-pam_slurm Operating systems & Components / Operating system package or component slurm_18_08-node-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-node Operating systems & Components / Operating system package or component slurm_18_08-munge-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-munge Operating systems & Components / Operating system package or component slurm_18_08-lua-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-lua Operating systems & Components / Operating system package or component slurm_18_08-doc Operating systems & Components / Operating system package or component slurm_18_08-devel Operating systems & Components / Operating system package or component slurm_18_08-debugsource Operating systems & Components / Operating system package or component slurm_18_08-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-config Operating systems & Components / Operating system package or component slurm_18_08-auth-none-debuginfo Operating systems & Components / Operating system package or component slurm_18_08-auth-none Operating systems & Components / Operating system package or component slurm_18_08 Operating systems & Components / Operating system package or component perl-slurm_18_08-debuginfo Operating systems & Components / Operating system package or component perl-slurm_18_08 Operating systems & Components / Operating system package or component libslurm33-debuginfo Operating systems & Components / Operating system package or component libslurm33 Operating systems & Components / Operating system package or component libpmi0_18_08-debuginfo Operating systems & Components / Operating system package or component libpmi0_18_08 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU62865
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-29500
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can obtain sensitive information credentials for the SlurmUser account.
MitigationUpdate the affected package slurm_18_08 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for HPC: 12
slurm_18_08-torque-debuginfo: before 18.08.9-3.17.1
slurm_18_08-torque: before 18.08.9-3.17.1
slurm_18_08-sql-debuginfo: before 18.08.9-3.17.1
slurm_18_08-sql: before 18.08.9-3.17.1
slurm_18_08-slurmdbd-debuginfo: before 18.08.9-3.17.1
slurm_18_08-slurmdbd: before 18.08.9-3.17.1
slurm_18_08-plugins-debuginfo: before 18.08.9-3.17.1
slurm_18_08-plugins: before 18.08.9-3.17.1
slurm_18_08-pam_slurm-debuginfo: before 18.08.9-3.17.1
slurm_18_08-pam_slurm: before 18.08.9-3.17.1
slurm_18_08-node-debuginfo: before 18.08.9-3.17.1
slurm_18_08-node: before 18.08.9-3.17.1
slurm_18_08-munge-debuginfo: before 18.08.9-3.17.1
slurm_18_08-munge: before 18.08.9-3.17.1
slurm_18_08-lua-debuginfo: before 18.08.9-3.17.1
slurm_18_08-lua: before 18.08.9-3.17.1
slurm_18_08-doc: before 18.08.9-3.17.1
slurm_18_08-devel: before 18.08.9-3.17.1
slurm_18_08-debugsource: before 18.08.9-3.17.1
slurm_18_08-debuginfo: before 18.08.9-3.17.1
slurm_18_08-config: before 18.08.9-3.17.1
slurm_18_08-auth-none-debuginfo: before 18.08.9-3.17.1
slurm_18_08-auth-none: before 18.08.9-3.17.1
slurm_18_08: before 18.08.9-3.17.1
perl-slurm_18_08-debuginfo: before 18.08.9-3.17.1
perl-slurm_18_08: before 18.08.9-3.17.1
libslurm33-debuginfo: before 18.08.9-3.17.1
libslurm33: before 18.08.9-3.17.1
libpmi0_18_08-debuginfo: before 18.08.9-3.17.1
libpmi0_18_08: before 18.08.9-3.17.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_hpc:12:*:*:*:*:*:*:*
- cpe:2.3:a:suse:slurm_18_08-torque-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-torque:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-config:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20223454-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU62864
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-29501
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationUpdate the affected package slurm_18_08 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for HPC: 12
slurm_18_08-torque-debuginfo: before 18.08.9-3.17.1
slurm_18_08-torque: before 18.08.9-3.17.1
slurm_18_08-sql-debuginfo: before 18.08.9-3.17.1
slurm_18_08-sql: before 18.08.9-3.17.1
slurm_18_08-slurmdbd-debuginfo: before 18.08.9-3.17.1
slurm_18_08-slurmdbd: before 18.08.9-3.17.1
slurm_18_08-plugins-debuginfo: before 18.08.9-3.17.1
slurm_18_08-plugins: before 18.08.9-3.17.1
slurm_18_08-pam_slurm-debuginfo: before 18.08.9-3.17.1
slurm_18_08-pam_slurm: before 18.08.9-3.17.1
slurm_18_08-node-debuginfo: before 18.08.9-3.17.1
slurm_18_08-node: before 18.08.9-3.17.1
slurm_18_08-munge-debuginfo: before 18.08.9-3.17.1
slurm_18_08-munge: before 18.08.9-3.17.1
slurm_18_08-lua-debuginfo: before 18.08.9-3.17.1
slurm_18_08-lua: before 18.08.9-3.17.1
slurm_18_08-doc: before 18.08.9-3.17.1
slurm_18_08-devel: before 18.08.9-3.17.1
slurm_18_08-debugsource: before 18.08.9-3.17.1
slurm_18_08-debuginfo: before 18.08.9-3.17.1
slurm_18_08-config: before 18.08.9-3.17.1
slurm_18_08-auth-none-debuginfo: before 18.08.9-3.17.1
slurm_18_08-auth-none: before 18.08.9-3.17.1
slurm_18_08: before 18.08.9-3.17.1
perl-slurm_18_08-debuginfo: before 18.08.9-3.17.1
perl-slurm_18_08: before 18.08.9-3.17.1
libslurm33-debuginfo: before 18.08.9-3.17.1
libslurm33: before 18.08.9-3.17.1
libpmi0_18_08-debuginfo: before 18.08.9-3.17.1
libpmi0_18_08: before 18.08.9-3.17.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_hpc:12:*:*:*:*:*:*:*
- cpe:2.3:a:suse:slurm_18_08-torque-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-torque:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-config:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20223454-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incorrect default permissions
EUVDB-ID: #VU67719
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-31251
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in slurm testsuite. A local user with access to the system can execute arbitrary code with root privileges.
MitigationUpdate the affected package slurm_18_08 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for HPC: 12
slurm_18_08-torque-debuginfo: before 18.08.9-3.17.1
slurm_18_08-torque: before 18.08.9-3.17.1
slurm_18_08-sql-debuginfo: before 18.08.9-3.17.1
slurm_18_08-sql: before 18.08.9-3.17.1
slurm_18_08-slurmdbd-debuginfo: before 18.08.9-3.17.1
slurm_18_08-slurmdbd: before 18.08.9-3.17.1
slurm_18_08-plugins-debuginfo: before 18.08.9-3.17.1
slurm_18_08-plugins: before 18.08.9-3.17.1
slurm_18_08-pam_slurm-debuginfo: before 18.08.9-3.17.1
slurm_18_08-pam_slurm: before 18.08.9-3.17.1
slurm_18_08-node-debuginfo: before 18.08.9-3.17.1
slurm_18_08-node: before 18.08.9-3.17.1
slurm_18_08-munge-debuginfo: before 18.08.9-3.17.1
slurm_18_08-munge: before 18.08.9-3.17.1
slurm_18_08-lua-debuginfo: before 18.08.9-3.17.1
slurm_18_08-lua: before 18.08.9-3.17.1
slurm_18_08-doc: before 18.08.9-3.17.1
slurm_18_08-devel: before 18.08.9-3.17.1
slurm_18_08-debugsource: before 18.08.9-3.17.1
slurm_18_08-debuginfo: before 18.08.9-3.17.1
slurm_18_08-config: before 18.08.9-3.17.1
slurm_18_08-auth-none-debuginfo: before 18.08.9-3.17.1
slurm_18_08-auth-none: before 18.08.9-3.17.1
slurm_18_08: before 18.08.9-3.17.1
perl-slurm_18_08-debuginfo: before 18.08.9-3.17.1
perl-slurm_18_08: before 18.08.9-3.17.1
libslurm33-debuginfo: before 18.08.9-3.17.1
libslurm33: before 18.08.9-3.17.1
libpmi0_18_08-debuginfo: before 18.08.9-3.17.1
libpmi0_18_08: before 18.08.9-3.17.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_module_for_hpc:12:*:*:*:*:*:*:*
- cpe:2.3:a:suse:slurm_18_08-torque-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-torque:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-sql:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-slurmdbd:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-plugins:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-pam_slurm:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-node:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-munge:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-lua:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debugsource:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-config:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08-auth-none:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:perl-slurm_18_08:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libslurm33:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08-debuginfo:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libpmi0_18_08:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2022/suse-su-20223454-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
