The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x
before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the
slurmd daemon informs users of a Prolog failure on a compute node. That
vulnerability could allow a user to assume control of an arbitrary file on
the system. Any exploitation of this is dependent on the user being able to
cause or anticipate the failure (non-zero return code) of a Prolog script
that their job would run on. This issue affects all Slurm versions from
0.6.0 (September 2005) to present. Workarounds to prevent exploitation of
this are to either disable your Prolog script, or modify it such that it
always returns 0 ("success") and adjust it to set the node as down using
scontrol instead of relying on the slurmd to handle that automatically. If
you do not have a Prolog set you are unaffected by this issue.
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 (Focal Fossa):not-affected (
More Information

Updated: 2020-03-18 20:41:45 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)