Hi Easybuilders,
The Slurm folks have alerted us to an important security issue in PMIx
before 4.2.6 and 5.0.1. See:
https://nvd.nist.gov/vuln/detail/CVE-2023-41915 (CVSS score 8.1 High)
https://github.com/openpmix/openpmix/releases/tag/v4.2.6
The description is:
A security issue was reported by François Diakhate (CEA)
which is addressed in the PMIx v4.2.6 and v5.0.1 releases.
(Older PMIx versions may be vulnerable, but are no longer
supported.)
A filesystem race condition could permit a malicious user
to obtain ownership of an arbitrary file on the filesystem
when parts of the PMIx library are called by a process
running as uid 0. This may happen under the default
configuration of certain workload managers, including Slurm.
It therefore appears that all EB modules of PMIx are vulnerable, if run
by the root user for some reason! The most recent EB module is
PMIx-4.2.4-GCCcore-12.3.0.eb, and all PMIx modules in EB are no longer
supported!
Question 1: If PMIx is used only by normal users, can we be sure that
the security issue can't be exploited?
Question 2: Is the issue resolved by PR 18755 and 18759? If so, how do
we apply this to all of our currently installed PMIx modules? Can
anyone give the exact command used to rebuild any given PMIx module
including the mentioned PRs?
Slurm users: Check if your Slurm has been built with PMIx support by:
$ srun --mpi=list
in which case you must rebuild Slurm without PMIx!
Thanks,
Ole
--
Ole Holm Nielsen
PhD, Senior HPC Officer
Department of Physics, Technical University of Denmark
