On May 4th, 2022, SchedMD released a security advisory to address 3 critical vulnerabilities patched in Slurm versions 21.08.8 and 20.11.9.
The Slurm Workload Manager, formerly known as Simple Linux Utility for Resource Management (SLURM), or simply Slurm, is a free and open-source job scheduler for Linux and Unix-like kernels, used by many of the world’s supercomputers and computer clusters.
It provides three key functions:
• allocating exclusive and/or non-exclusive access to resources (computer nodes) for users for some duration of time so they can perform work,
• providing a framework for starting, executing, and monitoring work, typically a parallel job such as Message Passing Interface (MPI) on a set of allocated nodes, and
• arbitrating contention for resources by managing a queue of pending jobs.
The vulnerabilities are tracked as CVE-2022-29500, CVE-2022-29501 and CVE-2022-29502.
The main impact of these vulnerabilities is limited to HPC scope and doesn’t affect enterprise services.
SchedMD only issues security fixes for the supported releases (which currently are 21.08 and 20.11). Due to the complexity of these fixes, we do not recommend attempting to backport the fixes to
older releases, and strongly encourage to upgrade to newest versions. Customers which still use Slurm in version 19.05, are strongly advised to update the software. At the same time it is important to note that upgrade to 20.11 version remains a temporary solution as 20.11 EOL (End of Life) is expected soon with the release of 22.05 version.
See attached Security Bulletin for more details.