Detections
Analytics

SUSE SLES12 : Feature update for slurm and pdsh (SUSE-SU-SUSE-FU-2025:0661-1)

medium Nessus Plugin ID 216737

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-SUSE-FU-2025:0661-1 advisory.

 slurm was updated to version 24.11.1 using package slurm_24_11:

 - Security issues fixed:
 * CVE-2024-48936: Fixed authentication handling in stepmgr that could permit an attacker to execute processes under other users' jobs (bsc#1236722)
 * CVE-2024-42511: Fixed vulnerability with switch plugins where a user could override the isolation between Slingshot VNIs or IMEX channels (bsc#1236726)

 - Important remarks:
 * Slurm can be upgraded from version 23.02, 23.11 or 24.05 to version 24.11 without loss of jobs or other state information. Upgrading directly from an earlier version of Slurm will result in loss of state information.
 * If using the `slurmdbd` (Slurm DataBase Daemon) you must update this first.
 * The 24.11 `slurmdbd` will work with Slurm daemons of version 23.02 and above.
 You will not need to update all clusters at the same time, but it is very important to update `slurmdbd` first and having it running before updating any other clusters making use of it.
 * If using a backup DBD you must start the primary first to do any database conversion, the backup will not start until this has happened.
 * All SPANK plugins must be recompiled when upgrading from any Slurm version prior to 24.11.

 - Highlights of changes:
 * Fixed issues related to the modified startup handling for slurmdbd:
 moved PID file to `/run/slurmdbd` (bsc#1236928)
 * Create slurm-owned log file on behalf of slurmdbd (bsc#1236929)
 * Added report AccountUtilizationByQOS to sreport.
 * `AccountUtilizationByUser` is able to be filtered by QOS.
 * Added autodetected gpus to the output of `slurmd -C`
 * Added ability to submit jobs with multiple QOS. These are sorted by priority highest being the first.
 * Removed the instant on feature from `switch/hpe_slingshot`.
 * `slurmctld` : Changed incoming RPC handling to dedicated thread pool with asynchronous handling of I/O that can be configured via `conmgr_*` entries under `SlurmctldParameters` in `slurm.conf`.

 - Configuration File Changes (see appropriate man page for details)
 * Added `SchedulerParameters=bf_allow_magnetic_slot` option. It allows jobs in magnetic reservations to be planned by backfill scheduler.
 * Added `TopologyParam=TopoMaxSizeUnroll=#` to allow `--nodes=<min>-<max>` for `topology/block`.
 * Added `DataParserParameters` `slurm.conf` parameter to allow setting default value for CLI `--json` and `--yaml` arguments.
 * Hardware collectives in `switch/hpe_slingshot` now requires `enable_stepmgr`.
 * Added connection related parameters to `slurm.conf` under `SlurmctldParameters`:
 `conmgr_max_connections`: Defaults to 150 connections.
 `conmgr_threads`: Defaults to 64 threads for slurmctld.
 `conmgr_use_poll`: Defaults is to use epoll in Linux.
 `conmgr_connect_timeout`: Defaults to `MessageTimeout`.
 `conmgr_read_timeout`: Defaults to `MessageTimeout`.
 `conmgr_wait_write_delay`: Defaults to `MessageTimeout`.
 `conmgr_write_timeout`: Defaults to MessageTimeout.
 * Added `SlurmctldParamters=ignore_constraint_validation` to ignore `constraint/feature` validation at submission.
 * Added `SchedulerParameters=bf_topopt_enable` option to enable experimental hook to control backfill.

 - Command Changes (see man pages for details):
 * Remove srun `--cpu-bind=rank`.
 * Add `'%b'` as a file name pattern for the array task id modulo 10.
 * `sacct` : Respect `--noheader` for `--batch-script` and `--env-vars`.
 * Add `sacctmgr ping` command to query status of `slurmdbd`.
 * `sbcast` : Add `--nodelist` option to specify where files are transmitted to
 * `sbcast` : Add `--no-allocation` option to transmit files to nodes outside of a job allocation.
 * `slurmdbd` : Add `-u` option. This is used to determine if restarting the DBD will result in database conversion.
 * Remove `salloc --get-user-env`.
 * `scontrol` : Add `--json`/`--yaml` support to `listpids`.
 * `scontrol` : Add `liststeps`.
 * `scontrol` : Add `listjobs`.
 * `scontrol show topo` : Show aggregated block sizes when using topology/block.

 - API Changes:
 * Remove `burst_buffer/lua` call `slurm.job_info_to_string()`.
 * `job_submit/lua` : Add `assoc_qos` attribute to `job_desc` to display all potential QOS's for a job's association.
 * `job_submit/lua` : Add `slurm.get_qos_priority()` function to retrieve the given QOS's priority.

 - SLURMRESTD Changes:
 * Removed fields deprecated in the Slurm-23.11 release from v0.0.42 endpoints.
 * Removed v0.0.39 plugins.
 * Set `data_parser/v0.0.42+prefer_refs` flag to default.
 * Add `data_parser/v0.0.42+minimize_refs` flag to inline single referenced schemas in the OpenAPI schema to get default behavior of `data_parser/v0.0.41`.
 * Rename v0.0.42 `JOB_INFO` field `minimum_switches` to `required_switches` to reflect the actual behavior.
 * Rename v0.0.42 `ACCOUNT_CONDITION` field `assocation` to `association` (typo).
 * Tag `slurmdb/v0.0.42/jobs pid` field deprecated.

 - For details on the changes in this version update, consult Slurm 24.11 changelog

 pdsh was updated from version 2.34 to 2.35:

 - IMPORTANT NOTE: pdsh version 2.35 is not compatible with Slurm versions below 20.11
 - Key changes of version 2.35:
 * Added `-d` option to log errors
 * build: use LDADD instead of LDFLAGS for libcommon.la
 * dsbak: fixed handling of empty input lines
 * ssh: fixed sshcmd_signal on macos

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1236156

https://bugzilla.suse.com/1236722

https://bugzilla.suse.com/1236726

https://bugzilla.suse.com/1236928

https://bugzilla.suse.com/1236929

https://lists.suse.com/pipermail/sle-updates/2025-February/038528.html

https://www.suse.com/security/cve/CVE-2024-42511

https://www.suse.com/security/cve/CVE-2024-48936

Plugin Details

Severity: Medium

ID: 216737

File Name: suse_SU-FU-2025-0661-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/25/2025

Updated: 2/25/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2024-48936

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:pdsh, p-cpe:/a:novell:suse_linux:pdsh-dshgroup, p-cpe:/a:novell:suse_linux:pdsh-genders, p-cpe:/a:novell:suse_linux:pdsh-machines, p-cpe:/a:novell:suse_linux:pdsh-netgroup, p-cpe:/a:novell:suse_linux:pdsh-slurm_20_11, p-cpe:/a:novell:suse_linux:libnss_slurm2_24_11, p-cpe:/a:novell:suse_linux:libpmi0_24_11, p-cpe:/a:novell:suse_linux:libslurm42, p-cpe:/a:novell:suse_linux:pdsh-slurm_22_05, p-cpe:/a:novell:suse_linux:pdsh-slurm_23_02, p-cpe:/a:novell:suse_linux:pdsh-slurm_24_11, p-cpe:/a:novell:suse_linux:perl-slurm_24_11, p-cpe:/a:novell:suse_linux:slurm_24_11, p-cpe:/a:novell:suse_linux:slurm_24_11-auth-none, p-cpe:/a:novell:suse_linux:slurm_24_11-config, p-cpe:/a:novell:suse_linux:slurm_24_11-config-man, p-cpe:/a:novell:suse_linux:slurm_24_11-cray, p-cpe:/a:novell:suse_linux:slurm_24_11-devel, p-cpe:/a:novell:suse_linux:slurm_24_11-doc, p-cpe:/a:novell:suse_linux:slurm_24_11-lua, p-cpe:/a:novell:suse_linux:slurm_24_11-munge, p-cpe:/a:novell:suse_linux:slurm_24_11-node, p-cpe:/a:novell:suse_linux:slurm_24_11-pam_slurm, p-cpe:/a:novell:suse_linux:slurm_24_11-plugins, p-cpe:/a:novell:suse_linux:slurm_24_11-slurmdbd, p-cpe:/a:novell:suse_linux:slurm_24_11-sql, p-cpe:/a:novell:suse_linux:slurm_24_11-sview, p-cpe:/a:novell:suse_linux:slurm_24_11-torque, p-cpe:/a:novell:suse_linux:slurm_24_11-webdoc

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/24/2025

Vulnerability Publication Date: 10/28/2024

Reference Information

CVE: CVE-2024-42511, CVE-2024-48936

SuSE: SUSE-FU-2025:0661-1