OSG-SEC-2022-03-15 HTCondor Security Release 8.8.16, 9.0.10, and 9.6.0
Dear OSG Security Contacts,
New versions of HTCondor have been released to address three security vulnerabilities.
All versions prior to 8.8.16, 9.0.10, and 9.6.0
WHAT ARE THE VULNERABILITIES:
There are three separate vulnerabilities addressed with these releases:
(affects 8.9.4 and above) For jobs that request HTCondor to transfer files to or from S3 cloud storage, an attacker with either a.) login access to a SchedD or StartD machine or b.) READ access to SchedD can obtain pre-signed URLs. These pre-signed URLs can then be used to access the S3 file associated with each pre-signed URL with both read and write permissions. 
(affects 8.9.3 and above) For communication between version 9 and version 8.8 HTCondor daemons or for configurations using weak encryption protocols a piece of secret information may be sent over the network unencrypted. An attacker with the ability to capture network traffic between SchedD, StartD, and/or Collector and with a good understanding of HTCondor network protocol could capture this secret and use it to manipulate running jobs, including executing arbitrary code in place of the running job. 
(affects all versions) An attacker with READ access to HTCondor daemons and knowledge of HTCondor internal APIs can use the CLAIMTOBE authentication method to impersonate another user, administrator, or daemon. 
WHAT YOU SHOULD DO:
All sites running HTCondor should update to one of the patched versions (8.8.16, 9.0.10, and 9.6.0) from the public repositories as soon as they are available. 
Please contact the OSG Security team at [email protected] if you have any questions or concerns.
OSG Security team