OSG-SEC-2021-05-18 Vulnerability in SLURM CVE-2021-31215
Dear OSG Security Contacts,
A vulnerability (CVE-2021-31215 ) was reported in Slurm that can allow any user to run arbitrary commands as SlurmUser if the installation uses a PrologSlurmctld and/or EpilogSlurmctld script.
The OSG Security Team considers this vulnerability to be of HIGH severity.
Versions before 20.02.7 Versions 20.03.x through 20.11.x before 20.11.7
WHAT ARE THE VULNERABILITIES:
According to the advisory  an issue with the handling of user-set environment variables in the PrologSlurmctld and EpilogSlurmctld scripts could allow any user to run arbitrary commands as the SlurmUser.
WHAT YOU SHOULD DO:
Sites running Slurm are recommended to update to 20.02.07 or 20.11.7 (or later)  as soon as possible.
Note that if PrologSlurmctld and/or EpilogSlurmctld scripts are not in use there is no indication that this vulnerability is exploitable.
Please contact the OSG security team at secu[email protected] if you have any questions or concerns.
OSG Security Team