HTCONDOR-2014-0001


Summary:

 

The HTCondor scheduling daemon can leak information that could allow an attacker to gain unauthorized access to jobs and to any resource the job's owner can access on the execute host. CVE-2014-4934


Component Vulnerable Versions Platform Availability Fix Available
condor_schedd 8.1.4, 8.1.5, 8.1.6, and 8.2.0 all not known to be publicly exploited 8.2.1
Status Access Required Host Type Required Effort Required Impact/Consequences
Verified authorized HTCondor user any host medium medium
Fixed Date Credit
2014-07-07 John "TJ" Knoeller
HTCondor team

Access Required:

authorized HTCondor user

This vulnerability requires HTCondor read authorization to the submit host and HTCondor write authorization to an execute host in the same pool.

Effort Required:

medium

Using standard HTCondor binaries, an attacker with considerable knowledge of HTCondor internals could exploit this vulnerability.

Impact/Consequences:

medium

An attacker could run arbitrary code impersonating the owner of any queued job in the following universes: vanilla, standard, parallel, java, or vm. This permits access to any resources including the hardware and the file systems available to that user on the execute host. If the slot is configured to run jobs as the submitting user, an attacker could modify files in the user's home directory. This vulnerability does not affect grid, local, or scheduler universe jobs.