HTCondor
Overview
Download
Documentation
Release Highlights
Release Schedule

HTCondor-CE
Overview
Download
Documentation
Release Highlights

General
News
Security
Documentation
Download

Documentation
HTCondor
HTCondor-CE

Support
HTCSS Contract Support
Community Mailing List
External Support Organizations

Email Lists
Users / Help
World / Announcements

Workshops
Throughput Computing 2024
Materials from past Workshops

HTCSS
What is HTCSS?
Logos

CHTC
Website ⬏
Staff ⬏
Jobs ⬏
Research & Publications ⬏

HTCONDOR-2017-0001

Summary:

A user can cause the condor_schedd to crash by submitting a job designed for that purpose. CVE-2017-16816

Component	Vulnerable Versions	Platform	Availability	Fix Available
condor_schedd	All before 8.6.8 (stable) and 8.7.5 (devel)	all	not known to be publicly exploited	8.6.8, 8.7.5
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	authorized HTCondor submitter	any host	low	medium
Fixed Date	Credit
2017-11-14	Edgar M Fajardo Hernandez Brian Bockleman Jaime Frey

Access Required:

authorized HTCondor submitter

This vulnerability requires the attacker to be able to submit a job to a condor_schedd.

Effort Required:

low

Using standard HTCondor binaries, an attacker with knowledge of the nature of this vulnerability and manipulating GSI proxies can cause a denial of service.

Impact/Consequences:

medium

Using a specially crafted proxy, an attacker can cause the condor_schedd to crash, essentially preventing any users from running jobs.

Workaround:

If your site does not use GSI, or if it does use GSI but does not utilize VOMS extensions, you can set "USE_VOMS_ATTRIBUTES = False" in your configuration to avoid the issue entirely.

Full Detials:

If a user submitted a job by authenticating with GSI, or that job carried a GSI certificate using the x509userproxy keyword, it was possible to crash the condor_schedd. Adding VOMS attributes to the proxy, but then setting either the VONAME or FQAN attribute to certificate that would cause HTCondor daemons to crash. This creates a potential denial of service that would prevent all users of HTCondor from submitting jobs.

European HTCondor Workshop: Abstract Submission Open

Mining millions of genomes for the next powerful antibiotic

Collaborations Between Two National Laboratories and the OSG Consortium Propel Nuclear and High-Energy Physics Forward

NOAA funded marine scientist uses OSPool access to high throughput computing to explode her boundaries of research

Addressing the challenges of transferring large datasets with the OSDF

Learning and adapting with OSG: Investigating the strong nuclear force

What is HTCSS?

HTCONDOR-2017-0001