HPCNow! is not usually producing communications about security, but given the severity and the high risk of CVE-2021-4034 for HPC clusters, we would like to aware you of the important vulnerability found in pkexec.
The CVE-2021-4034 vulnerability found in pkexec allows an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.
The most popular Linux distributions are affected, including Red Hat, SuSE, Debian, Ubuntu, and also the derivated distributions (i.e. CentOS, RockyLinux).
For Ubuntu and Debian based distributions, the issue can be fixed by upgrading the package policykit-1.
|sudo apt update
sudo apt –only-upgrade install policykit-1
On RHEL, CentOS, RockyLinux and other RHEL based systems, the process is more complex. We suggest taking advantage of the Ansible playbook developed by Red Hat to patch multiple systems.
ansible-playbook -e HOSTS=login01,slurm01,master01 cve-2021-4034_stap_mitigate–2022-01-25-0936.yml
Otherwise, follow the instructions described in this article.
We recommend you contact your security department, or an external consultant if needed.