HPCNow! is not usually producing communications about security, but given the severity and the high risk of CVE-2021-4034 for HPC clusters, we would like to aware you of the important vulnerability found in pkexec.

The CVE-2021-4034 vulnerability found in pkexec allows an unprivileged local attacker to escalate privileges, bypassing any authentication and policies due to incorrect handling of the process’s argument vector.

The most popular Linux distributions are affected, including Red Hat, SuSE, Debian, Ubuntu, and also the derivated distributions (i.e. CentOS, RockyLinux). 

For Ubuntu and Debian based distributions, the issue can be fixed by upgrading the package policykit-1.

sudo apt update
sudo apt –only-upgrade install policykit-1

On RHEL, CentOS, RockyLinux and other RHEL based systems, the process is more complex. We suggest taking advantage of the Ansible playbook developed by Red Hat to patch multiple systems. 

wget https://access.redhat.com/sites/default/files/cve-2021-4034_stap_mitigate–2022-01-25-0936.yml
ansible-playbook -e HOSTS=login01,slurm01,master01 cve-2021-4034_stap_mitigate–2022-01-25-0936.yml

Otherwise, follow the instructions described in this article.

We recommend you contact your security department, or an external consultant if needed. 

References

Headquarters

Av. Meridiana, 358, planta 13. 08027 Barcelona.
+34 931640488
info@hpcnow.com
See location


NZ Office

Level 8
139 Quay Street
1010 - Auckland (New Zealand)
+64 (0) 22 344 2801
info@hpcnow.com

Contact

Contact us and we will help you.


    I accept the terms and conditions