CVE-2019-12838 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2019-12838?

CVE-2019-12838 has a CVSS score of 9.8 (CRITICAL). This CVE describes a SQL injection vulnerability in SchedMD Slurm workload manager. Attackers can execute arbitrary SQL commands on Slurm databases, potentially compromising the entire cluster management system. Affected systems include Slurm versions 17.11.x, 18.08.0-18.08.7, and 19.05.0.

📋 TL;DR

This CVE describes a SQL injection vulnerability in SchedMD Slurm workload manager. Attackers can execute arbitrary SQL commands on Slurm databases, potentially compromising the entire cluster management system. Affected systems include Slurm versions 17.11.x, 18.08.0-18.08.7, and 19.05.0.

💻 Affected Systems

Products:

SchedMD Slurm

Versions: 17.11.x, 18.08.0 through 18.08.7, 19.05.0

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. Requires Slurm database functionality to be enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Slurm database leading to cluster takeover, credential theft, job manipulation, and potential lateral movement to compute nodes.

🟠

Likely Case

Unauthorized database access allowing job manipulation, privilege escalation, and sensitive information disclosure from Slurm databases.

🟢

If Mitigated

Limited impact with proper network segmentation, database permissions, and input validation controls in place.

🌐 Internet-Facing: MEDIUM - While Slurm typically runs internally, internet-facing management interfaces could be exposed.

🏢 Internal Only: HIGH - SQL injection can lead to full database compromise within internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity. Requires access to Slurm's database interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.08.8, 19.05.1, and later versions

Vendor Advisory: https://www.schedmd.com/news.php

Restart Required: Yes

Instructions:

1. Backup Slurm configuration and databases. 2. Upgrade to patched version (18.08.8+ or 19.05.1+). 3. Restart Slurm daemons: systemctl restart slurmctld slurmd. 4. Verify database integrity.

🔧 Temporary Workarounds

Database Input Validation

linux

Implement strict input validation for all database queries in Slurm configuration

# Review and sanitize all slurm.conf database parameters
# Implement parameterized queries in custom scripts

Network Segmentation

linux

Restrict database access to only necessary Slurm components

iptables -A INPUT -p tcp --dport 3306 -s slurm_servers -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

🧯 If You Can't Patch

Implement strict network ACLs to limit Slurm database access to trusted IPs only
Enable detailed database logging and monitor for SQL injection patterns

🔍 How to Verify

Check if Vulnerable:

Check Slurm version: scontrol show config | grep SLURM_VERSION. If version matches affected range and database is enabled, system is vulnerable.

Check Version:

scontrol show config | grep SLURM_VERSION || slurmctld -V

Verify Fix Applied:

Verify upgraded version: scontrol show config | grep SLURM_VERSION. Confirm version is 18.08.8+, 19.05.1+, or later.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries in Slurm logs
SQL syntax errors in database logs
Unexpected database connections

Network Indicators:

Unusual traffic to Slurm database port (typically 3306)
SQL injection patterns in network traffic

SIEM Query:

source="slurm_logs" AND ("SQL" OR "database error" OR "syntax error")

📊 Metadata

CVE ID: CVE-2019-12838

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 11, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00005.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00051.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00038.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2O47F72FWMYLEGF35QGNYY5VS33SUQS5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQ6EV3OWKGMTBWCSXZGS4MYADUBLVXSQ/
https://lists.schedmd.com/pipermail/slurm-announce/2019/ Release Notes,Vendor Advisory
https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html Mailing List,Vendor Advisory
https://seclists.org/bugtraq/2019/Nov/30 Mailing List,Third Party Advisory
https://www.debian.org/security/2019/dsa-4572 Third Party Advisory
https://www.schedmd.com/news.php Vendor Advisory
https://www.schedmd.com/news.php?id=218 Release Notes,Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00005.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00051.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00038.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00016.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/01/msg00011.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2O47F72FWMYLEGF35QGNYY5VS33SUQS5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AQ6EV3OWKGMTBWCSXZGS4MYADUBLVXSQ/
https://lists.schedmd.com/pipermail/slurm-announce/2019/ Release Notes,Vendor Advisory
https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html Mailing List,Vendor Advisory
https://seclists.org/bugtraq/2019/Nov/30 Mailing List,Third Party Advisory
https://www.debian.org/security/2019/dsa-4572 Third Party Advisory
https://www.schedmd.com/news.php Vendor Advisory
https://www.schedmd.com/news.php?id=218 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12838, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

Slurm by Schedmd

Slurm by Schedmd

Slurm by Schedmd

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Database Input Validation

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities