Mailing List Archives
Public Access
|
|
![[Computer Systems Lab]](https://www-auth.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[HTCondor-users] OpenSSL vulnerability and HTCondor
- Date: Thu, 10 Apr 2014 13:22:01 -0500
- From: Zachary Miller <zmiller@xxxxxxxxxxx>
- Subject: [HTCondor-users] OpenSSL vulnerability and HTCondor
As you're probably aware, OpenSSL disclosed a serious security vulnerability
earlier this week, commonly known as "Heartbleed". See here for the official
announcement and specific versions affected:
http://www.openssl.org/news/secadv_20140407.txt
HTCondor does make use of the OpenSSL library, and in some circumstances could
be susceptible to attack. Here are the situations in which you are and are not
vulnerable:
1) If you are not using SSL or GSI authentication methods, or submitting grid
universe jobs, you are not vulnerable.
2) Windows binaries are not vulnerable.
3) If you have a vulnerable versionOpenSSL installed in your system libraries,
HTCondor is using those libraries and you should update them immediately to
version 1.0.1g.
4) If you do not have OpenSSL installed on your system, and downloaded HTCondor
as a tarball and also configured the SSL or GSI authentication methods, or you
are submitting Grid universe jobs, HTCondor is using the libraries included in
the tarball, and you should update the libssl in the place where you untarred
HTCondor.
After updating your libraries, you will need to restart the HTCondor daemons.
More specifics:
If your version of OpenSSL is vulnerable, and you are using the SSL or GSI
authentication methods, you are vulnerable to attack during authentication.
If your version of OpenSSL is vulnerable, and you are using HTCondor's grid
universe to submit jobs to Globus GRAM services, you are vulnerable to attack
via two ports created by the gahp_server process to receive incoming
connections. The ports used by the gahp_server are not published anywhere, but
their existence could be guessed by an attacker (e.g. by port scanning). An
attacker could obtain the private key of the user's X.509 credential and the
contents of job-related files. The Globus Project website has more information
(https://support.globus.org/entries/50667608).
Please send any questions or concens to htcondor-admin@xxxxxxxxxxxx