Skip to main content
Release Announcements

Slurm Version 22.05.11, 23.02.07, and 23.11.1 Are Now Available

By December 13, 2023March 11th, 2024No Comments

Slurm versions 22.05.11, 23.02.7, and 23.11.1 are now available (CVE-2023-49933 through CVE-2023-49938)

Slurm versions 23.11.1, 23.02.7, 22.05.11 are now available and address a number of recently-discovered security issues. They’ve been assigned CVE-2023-49933 through CVE-2023-49938.

SchedMD customers were informed on November 29th and provided a patch on request. This process is documented in our security policy.

There are no mitigations available for these issues, the only option is to patch and restart the affected daemons.

Five issues were reported by Ryan Hall (Meta Red Team X):

  • Slurmd Message Integrity Bypass. (Slurm 23.02 and 23.11.)
    Permits an attacker to reuse root-level authentication tokens when interacting with the slurmd process, bypassing the RPC message hashes which protect against malicious MUNGE credential reuse.
  • Slurm Arbitrary File Overwrite. (Slurm 22.05 and 23.02.)
    Permits an attacker to modified their extended group list used with the sbcast subsystem, and open files with an incorrect set of extended groups.
  • Slurm NULL Pointer Dereference. (Slurm 22.05, 23.02, 23.11.)
    Denial of service.
  • Slurm Protocol Double Free. (Slurm 22.05, 23.02, 23.11.)
    Denial of service, potential for arbitrary code execution.
  • Slurm Protocol Message Extension. (Slurm 22.05, 23.02, 23.11.)
    Allows for malicious modification of RPC traffic that bypasses the message hash checks.

A sixth issue was discovered internally by SchedMD:

  • SQL Injection. (Slurm 23.11.) CVE-2023-49934
    Arbitrary SQL injection against SlurmDBD’s SQL database.

SchedMD only issues security fixes for the supported releases (currently 23.11, 23.02 and 22.05). Due to the complexity of these fixes, we do not recommend attempting to back-port the fixes to older releases, and strongly encourage sites to upgrade to fixed versions immediately.

Downloads are available here.