Date: 2023-12-14 Updated: 2024-02-20
Multiple CRITICAL risk vulnerabilities concerning SLURM
EGI SVG ID : EGI-SVG-2023-59
CVE ID’s:–
CVE-2023-49933: Slurm Protocol Message Extension
CVE-2023-49934: SQL injection in SLURM DBD database
CVE-2023-49935: Slurmd Message Integrity Bypass
CVE-2023-49936: Slurm NULL Pointer Dereference
CVE-2023-49937: Slurm Protocol Double Free
CVE-2023-49938: Slurm Arbitrary File Overwrite
CVSS Score : Up to 9.8 [R 3], [R 4]
Sites running SLURM are required to urgently install a new version.
See [R 1] below
All running resources MUST be patched by 2023-12-21 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.
Commercial users have already been informed and patches provided, prior to public announcement.
Details of the vulnerabilities are available at the SLURM site [R 1]
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2023-59
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49933
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49934
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49935
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49936
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49937
https://advisories.egi.eu/Advisory-SVG-CVE-2023-49938
Minor updates may be made without re-distribution to the sites.
Comments or questions should be sent to svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
SVG was alerted to these vulnerabilities by Barbara Krasovec