OSG-SEC-2022-03-15 HTCondor Security Release 8.8.16, 9.0.10, and 9.6.0
Dear OSG Security Contacts,
New versions of HTCondor have been released to address three security vulnerabilities.
IMPACTED VERSIONS:
All versions prior to 8.8.16, 9.0.10, and 9.6.0
WHAT ARE THE VULNERABILITIES:
There are three separate vulnerabilities addressed with these releases:
-
(affects 8.9.4 and above) For jobs that request HTCondor to transfer files to or from S3 cloud storage, an attacker with either a.) login access to a SchedD or StartD machine or b.) READ access to SchedD can obtain pre-signed URLs. These pre-signed URLs can then be used to access the S3 file associated with each pre-signed URL with both read and write permissions. [1]
-
(affects 8.9.3 and above) For communication between version 9 and version 8.8 HTCondor daemons or for configurations using weak encryption protocols a piece of secret information may be sent over the network unencrypted. An attacker with the ability to capture network traffic between SchedD, StartD, and/or Collector and with a good understanding of HTCondor network protocol could capture this secret and use it to manipulate running jobs, including executing arbitrary code in place of the running job. [2]
-
(affects all versions) An attacker with READ access to HTCondor daemons and knowledge of HTCondor internal APIs can use the CLAIMTOBE authentication method to impersonate another user, administrator, or daemon. [3]
WHAT YOU SHOULD DO:
All sites running HTCondor should update to one of the patched versions (8.8.16, 9.0.10, and 9.6.0) from the public repositories as soon as they are available. [4]
REFERENCES
[1] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0001.html
[2] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0002.html
[3] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003.html
[4] https://research.cs.wisc.edu/htcondor/repo/current/
Please contact the OSG Security team at [email protected] if you have any questions or concerns.
OSG Security team