HTCondor
Overview
Download
Documentation
Release Notes⬏

HTCondor-CE
Overview
Download
Documentation
Release Notes⬏

General
Documentation
Download
Security
License

Documentation
HTCondor
HTCondor-CE

Email Lists
Users⬏
World⬏
Developers⬏

Support
Support Email⬏
Internal Contract Support
Outside Support

HTCondor Week
Most Recent
Content Archives

CHTC
Staff ⬏
Jobs ⬏

HTCONDOR-2021-0004
CVE-2021-45102

Summary:

When authenticating to an HTCondor daemon using a SciToken, a user may be granted authorizations beyond what the token should allow.

Component	Vulnerable Versions	Platform	Availability	Fix Available
All daemons	9.0.0 and above	All	Not known to be publicly exploited	9.0.3, 9.1.1
Status	Access Required	Host Type Required	Effort Required	Impact/Consequences
Verified	Possession of a certain type of SciToken	Any	Low	Medium
Fixed Date	Credit
2021-07-27	Jeny Teheran

Access Required:

Possession of a certain type of SciToken

An attacker needs to have a SciToken with certain attributes that HTCondor will interpret as having more capabilities than it should.

Effort Required:

Low

These types of tokens required to exploit this vulnerability can be obtained using standard methods and do not require custom tools or modifications to the token.

Impact/Consequences:

High

Exploiting this vulnerability could allow a user to perform actions that they should not be allowed to do, such as submitting a job.

Workaround:

You can work around this issue by not allowing SciTokens as an authentication method. This means overriding the list of authentication methods (which includes SciTokens by default) by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, set it to "FS,TOKEN,KERBEROS,GSI,SSL".

Full Details:

Embargoed until future notice.

HTCONDOR-2021-0004 CVE-2021-45102

HTCONDOR-2021-0004
CVE-2021-45102