Skip to content

OSG-SEC-2022-03-15 HTCondor Security Release 8.8.16, 9.0.10, and 9.6.0

Dear OSG Security Contacts,

New versions of HTCondor have been released to address three security vulnerabilities.

IMPACTED VERSIONS:

All versions prior to 8.8.16, 9.0.10, and 9.6.0

WHAT ARE THE VULNERABILITIES:

There are three separate vulnerabilities addressed with these releases:

  • (affects 8.9.4 and above) For jobs that request HTCondor to transfer files to or from S3 cloud storage, an attacker with either a.) login access to a SchedD or StartD machine or b.) READ access to SchedD can obtain pre-signed URLs. These pre-signed URLs can then be used to access the S3 file associated with each pre-signed URL with both read and write permissions. [1]

  • (affects 8.9.3 and above) For communication between version 9 and version 8.8 HTCondor daemons or for configurations using weak encryption protocols a piece of secret information may be sent over the network unencrypted. An attacker with the ability to capture network traffic between SchedD, StartD, and/or Collector and with a good understanding of HTCondor network protocol could capture this secret and use it to manipulate running jobs, including executing arbitrary code in place of the running job. [2]

  • (affects all versions) An attacker with READ access to HTCondor daemons and knowledge of HTCondor internal APIs can use the CLAIMTOBE authentication method to impersonate another user, administrator, or daemon. [3]

WHAT YOU SHOULD DO:

All sites running HTCondor should update to one of the patched versions (8.8.16, 9.0.10, and 9.6.0) from the public repositories as soon as they are available. [4]

REFERENCES

[1] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0001.html

[2] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0002.html

[3] https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2022-0003.html

[4] https://research.cs.wisc.edu/htcondor/repo/current/

Please contact the OSG Security team at [email protected] if you have any questions or concerns.

OSG Security team