Strix
26.1K

CVE-2016-10030

UnknownEPSS 2.46%

Last modified

CVE-2016-10030 is a vulnerability of currently unknown severity. The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. EPSS estimates a 2.46% chance of exploitation in the next 30 days.

Description

The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.

Metrics

EPSS Probability
2.46%

82.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
SchedmdSlurm<= 15.08.12
SchedmdSlurm16.05.0
SchedmdSlurm16.05.1
SchedmdSlurm16.05.2
SchedmdSlurm16.05.3
SchedmdSlurm16.05.4
SchedmdSlurm16.05.5
SchedmdSlurm16.05.6
SchedmdSlurm17.02.0Pre1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2016-10030?
The _prolog_error function in slurmd/req.c in Slurm before 15.08.13, 16.x before 16.05.7, and 17.x before 17.02.0-pre4 has a vulnerability in how the slurmd daemon informs users of a Prolog failure on a compute node. That vulnerability could allow a user to assume control of an arbitrary file on the system. Any exploitation of this is dependent on the user being able to cause or anticipate the failure (non-zero return code) of a Prolog script that their job would run on. This issue affects all Slurm versions from 0.6.0 (September 2005) to present. Workarounds to prevent exploitation of this are to either disable your Prolog script, or modify it such that it always returns 0 ("success") and adjust it to set the node as down using scontrol instead of relying on the slurmd to handle that automatically. If you do not have a Prolog set you are unaffected by this issue.
How severe is CVE-2016-10030?
Severity scoring for CVE-2016-10030 is pending analysis. The EPSS model estimates a 2.46% probability of exploitation in the next 30 days.
How do I fix CVE-2016-10030?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-10030?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST