MUNGE CVE-2026-25506
#215
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
MUNGE Security Vulnerability Announcement
Recently a security vulnerability was publicly announced for MUNGE, the primary mechanism used to sign job requests in a Flux system instance.
GHSA-r9cr-jf4v-75gh
Impact Assessment
Single user Flux: Unaffected - Single user Flux doesn't make use of MUNGE at all.
System instances of Flux: Weakens security in Flux but does not create an exploitable vulnerability.
MUNGE is used to sign Flux job requests. The signature is verified by the IMP prior to execution to determine if a job request really came from the user or could have been forged by another user. Uh oh, right? Well, there is another layer of defense that saves our 🥓 here.
Two security mechanisms work together to prevent exploitation:
Users authenticate themselves at job submission time to the system instance brokers using UNIX domain socket peer credentials, not MUNGE. Job submissions signed with a MUNGE user ID that doesn't match the message credential user ID are immediately rejected by the
job-ingestmodule.The IMP is typically configured to only be usable by the system instance owner (normally the
fluxuser), so only the system instance would be able to pass forged job submissions to the IMP. The IMP configuration imposes this restriction as described in flux-config-security-imp(5):These two checks, working together, prevent a forged job request from being acted upon. While Flux's defense-in-depth approach prevents exploitation of this MUNGE vulnerability, administrators should still install the fixed MUNGE packages being released by Linux distributions as soon as possible.
Updating the MUNGE Key
As an additional precaution, system administrators may choose to regenerate the MUNGE key. Regenerating the MUNGE key will invalidate the signatures on all currently queued jobs. These jobs will need to be resubmitted after the new key is in place or they will fail immediately when they are launched.
Related Documentation
Beta Was this translation helpful? Give feedback.
All reactions