SB2022093024 - SUSE update for slurm

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2022-29500)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can obtain sensitive information credentials for the SlurmUser account.

2) Improper access control (CVE-ID: CVE-2022-29501)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in a network RPC handler in the slurmd daemon used for PMI2 and PMIx support. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

3) Incorrect default permissions (CVE-ID: CVE-2022-31251)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in slurm testsuite. A local user with access to the system can execute arbitrary code with root privileges.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2022/suse-su-20223468-1/