[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] OpenSSL vulnerability and HTCondor

A clarification to the below:

When I said specifically "update to 1.0.1g," I should have said, "update to a
patched version."  In some instances, the fix for the vulnerability was back-
ported to earlier versions.


On Thu, Apr 10, 2014 at 01:22:01PM -0500, Zachary Miller wrote:
> As you're probably aware, OpenSSL disclosed a serious security vulnerability
> earlier this week, commonly known as "Heartbleed".  See here for the official
> announcement and specific versions affected:
>   http://www.openssl.org/news/secadv_20140407.txt
> HTCondor does make use of the OpenSSL library, and in some circumstances could
> be susceptible to attack.  Here are the situations in which you are and are not
> vulnerable:
> 1) If you are not using SSL or GSI authentication methods, or submitting grid
> universe jobs, you are not vulnerable.
> 2) Windows binaries are not vulnerable.
> 3) If you have a vulnerable versionOpenSSL installed in your system libraries,
> HTCondor is using those libraries and you should update them immediately to
> version 1.0.1g.
> 4) If you do not have OpenSSL installed on your system, and downloaded HTCondor
> as a tarball and also configured the SSL or GSI authentication methods, or you
> are submitting Grid universe jobs, HTCondor is using the libraries included in
> the tarball, and you should update the libssl in the place where you untarred
> HTCondor.
> After updating your libraries, you will need to restart the HTCondor daemons.
> More specifics:
> If your version of OpenSSL is vulnerable, and you are using the SSL or GSI
> authentication methods, you are vulnerable to attack during authentication.
> If your version of OpenSSL is vulnerable, and you are using HTCondor's grid
> universe to submit jobs to Globus GRAM services, you are vulnerable to attack
> via two ports created by the gahp_server process to receive incoming
> connections. The ports used by the gahp_server are not published anywhere, but
> their existence could be guessed by an attacker (e.g. by port scanning). An
> attacker could obtain the private key of the user's X.509 credential and the
> contents of job-related files. The Globus Project website has more information
> (https://support.globus.org/entries/50667608).
> Please send any questions or concens to htcondor-admin@xxxxxxxxxxxx
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
> You can also unsubscribe by visiting
> https://lists.cs.wisc.edu/mailman/listinfo/htcondor-users
> The archives can be found at:
> https://lists.cs.wisc.edu/archive/htcondor-users/