Skip to main content

Information Security Advisories

Information on relevant CVEs and security issues for clients

July 2024

CVE-2024-6387 - Qualys Security Advisory - Update Advisory

ItemDescription
DescriptionOpenSSH Remote Code Execution due to Race Condition in Signal Handling (CVE-2024-6387)
Severity8.1
Impact to CoreWeave PlatformThe CoreWeave platform and supporting infrastructure have been upgraded to prevent exploitation of this issue.
Potentially Affected ClientsClients running vulnerable versions of OpenSSH server are vulnerable to this CVE. Clients running an OpenSSH server version equal to or greater than "8.5p1" and less than "9.8p1" are vulnerable to this issue and should take steps to remediate. In particular, clients using VirtualServers and Slurm may need to take action to upgrade their SSH servers to a patched version or use workarounds which prevent exploitation.
Actions TakenPatching and Updates: Updates have been deployed inside of the CoreWeave platform and its supporting infrastructure.

System Status: As of July 2nd, 2024 CoreWeave systems are operational and no outages to support upgrade operations are planned.

Recommended Client Actions: Clients which run a VirtualServer, container, or Slurm login pod that uses a version of OpenSSH server should upgrade their VirtualServer, container image, or Slurm login/compute pod images in order to obtain a patched version. Alternatively, clients may apply workarounds to their SSH server configuration to limit or prevent exploitability.

Clients running an OpenSSH server version equal to or greater than "8.5p1" and less than "9.8p1" are vulnerable to this issue and should take steps to remediate.

Additional information

Further technical details about this issue may be found in the Qualys writeup of this issue.

SUNK/Slurm User Guidance

Clients who are not on a CoreWeave managed instance of Slurm on Kubernetes (SUNK) and who meet the criteria below should take action to ensure that SUNK is patched against CVE-2024-6387:

  • Are using SUNK versions 3.20.0 through 4.3.0
  • Are using Ubuntu images in SUNK of 22.04 or higher

If the criteria above are met, clients should take the following actions:

  • Add the following items to the s6 configuration for both login and compute nodes in the chart values.yaml being used to deploy CoreWeave's Slurm chart:
login:
  s6:
    ssh-patch:
      type: oneshot
      script: |
        #!/usr/bin/env bash
        groupadd messagebus
        apt update && apt install --only-upgrade openssh-server -y
compute:
  s6:
    ssh-patch:
      type: oneshot
      script: |
        #!/usr/bin/env bash
        groupadd messagebus
        apt update && apt install --only-upgrade openssh-server -y
  • Deploy these changes (if using ArgoCD, sync the changes with the cluster).
warning

This will roll the NodeSet Pods for the compute Nodes. If login StatefulSets are set to use the OnDelete update strategy, then the login Pods to all that will be upgraded with these changes will need to be manually deleted. See the official Kubernetes documentation on StatefulSet update strategies for more information.

info

If using custom build images for SUNK, these commands can be integrated into the image build instead.

November 2023

CVE-2023-23583 - INTEL-SA-00950 Update Advisory

ItemDescription
DescriptionIn response to Intel's Platform Update advisory INTEL-SA-00950 (CVE-2023-23583), CoreWeave Engineering has proactively updated our systems to address the identified vulnerabilities within the named Intel products.
Severity8.8
Impact to CoreWeave PlatformNo impact has been observed as of this posting. CoreWeave systems have been upgraded and operational prior to public disclosure.
Potentially Affected ClientsNo client impact as remediation has occurred prior to public disclosure. (Note: Intel components are used within our services, however, our proactive updates have ensured no client impact.)
Actions TakenPatching and Updates: Updates have been implemented for INTEL-SA-00950 (CVE-2023-23583), ensuring compatibility and system integrity.

System Status: As of November 14th, 2023, CoreWeave in-scope systems have been upgraded and are operational.

Recommended Client Actions: No action is required. This advisory is informational only, to assure you of CoreWeave's commitment to infrastructure security.

CoreWeave's Vulnerability Management Team is closely monitoring the situation and is dedicated to providing timely updates if deemed necessary. If required, updates to this page will be posted.

December 2022

CVE-2022-42475

ItemDescription
DescriptionA heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Severity9.3
Impact to CoreWeave PlatformCurrently no known impact to CoreWeave Platform
Potentially Affected ClientsClients using FortiOS
Recommended ActionsVendor-recommended mitigations

FortiGuard Labs has confirmed at least one instance of vulnerability CVE-2022-42475 being exploited in the wild. Given the high value (CVE critical severity rating 9.3) and relatively low complexity of this vulnerability, CoreWeave strongly recommends upgrading to an unaffected version of FortiOS on an accelerated patch schedule, according to vendor recommendations.

Vulnerability checks for CVE-2022-42475 are available from a variety of sources. Please use caution when running any script or application to ensure it is safe.

At this time there is no impact to CoreWeave's platform, however customers who have FortiOS running within their environment are advised to review the vendor-recommended mitigations, and take appropriate self measures to upgrade their deployments and evaluate their systems for any indicators of compromise. Our cyber security team is closely monitoring the situation, and will provide important updates should more information become available.