Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

Condor Security Vulnerability

Summary

Condor versions prior to 6.7.18 and 6.6.11 contain security vulnerabilities

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2006-04-04

Description

Older versions of Condor contain security vulnerability, at least one of which is critical. From the Condor 6.7.18 release notes:

A security team at UW-Madison is conducting an onging security audit of the Condor system and has identified a few important vulnerabilities. Condor versions 6.6.11 and 6.7.18 fix these security problems and other bugs. There have been no reported exploits, but all sites are urged to upgrade immediately.

The Condor Team will publish detailed reports of these vulnerabilities on 2006-04-24, 4 weeks from the date when the fixes were first released (2006-03-27). This will allow all sites time to upgrade before enough information to exploit these bugs is widely available.

Also from the release notes:

Bugs in previous versions of Condor could allow any user who can submit jobs on a machine to gain access to the condor account (or whatever non-privileged user the Condor daemons are running as). This bug cannot be exploited remotely, only by users already logged onto a submit machine in the Condor pool.

The security of the condor_ config_val -set feature was found to be insufficient, so this feature is now disabled by default. There are new configuration settings to enable this feature in a secure manner. Please read the descriptions of ENABLE_RUNTIME_CONFIG , ENABLE_PERSISTENT_CONFIG and PERSISTENT_CONFIG_DIR in the example configuration file shipped with the latest Condor releases, or in section 3.3.4.

As of 4 April 2005, VDT 1.3.10b and the prerelease VDT 1.3.11 contain Condor 6.7.18.

Solution

Upgrade to Condor 6.7.18 or later. If you want to get Condor from the VDT, releases 1.3.10b and 1.3.11 contain Condor 6.7.18.

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.