Hello.
We have discovered and fixed a security vulnerability in the HTCondor Software Suite (HTCSS).
These are the affected vulnerable versions of HTCSS:
24.7.x, 24.8.x, 24.9.x, 24.10.x, 24.11.x, 24.12.0-13,
25.0.0, 25.0.1, 25.0.2,
25.1.x, 25.2.x, 25.3.x
To initiate the vulnerability, a malicious user must submit a specially-crafted job. After initiation, the malicious user must then wait for HTCSS to be upgraded to a vulnerable version. Once the upgrade is done, the exploit can no longer be initiated. Upgrading
to a patched version (24.12.14+, 25.0.3+, or 25.3.1+) will prevent any initiated expoilt from succeeding.
If you are not currently using one of the affected versions, do NOT upgrade to one of the above affected versions. Instead, update at your leisure to a newer HTCSS version cleansed of the vulerability, that has been released in both LTS and Feature series (versions
24.12.14, 25.0.3, or 25.3.1).
If you have already upgraded to a vulnerable version, you can see if you are affected by running these commands:
condor_q -all -constraint 'OsUser != Owner'
condor_history -constraint 'OsUser != Owner'
If either of these commands shows any jobs, then you may be affected, and we recommend you email htcondor-security@xxxxxxxxxxx for further assisstance. An HTCondor-CE queue
may show matching jobs that are not malicious. You can remove any potentially malicious jobs with this command (run as root):
condor_rm -constraint 'OsUser != Owner'
This information is also available on our web site: https://htcondor.org/security/vulnerabilities/HTCONDOR-2025-0002.html
Please let us know (at htcondor-security@xxxxxxxxxxx) if you have any questions.
Thank you.
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}