Bug 1508887 (CVE-2017-16816)

Summary: CVE-2017-16816 condor: DoS of condor_schedd via specially crafted VOMS proxy
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbockelm, bcotton, bhu, eerlands, grid-maint-list, iboverma, jross, matt, matt, mcressma, security-response-team, steve.traylen, tim, tstclair, valtri, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: condor 8.6.8, condor 8.7.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:30:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1598627, 1598628    
Bug Blocks: 1508891    

Description Adam Mariš 2017-11-02 12:58:36 UTC 
Potential Denial Of Service was discovered wherein an attacker could use a specially-crafted VOMS proxy to crash the condor_schedd.

* If your site is not using GSI authentication, you are not affected. This includes using GSI for authentication with condor, but also allowing users to submit jobs that have the x509UserProxy attribute set.

* If you have disabled VOMS in your condor_config file, you are not affected. VOMS support in HTCondor is *ENABLED* by default.
Comment 1 Adam Mariš 2017-11-02 12:58:42 UTC 
Acknowledgments:

Name: the HTCondor project
Comment 2 Doran Moppert 2017-11-09 06:43:42 UTC 
Statement:

Condor in Red Hat Enterprise MRG is built with both GSI and VOMS disabled and therefore is not affected by this issue.
Comment 3 Sam Fowler 2018-07-06 03:21:56 UTC 
External Reference:

http://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2017-0001.html
Comment 4 Sam Fowler 2018-07-06 03:22:16 UTC 
Upstream Patch:

https://github.com/htcondor/htcondor/commit/2f3c393feb819cf6c6d06fb0a2e9c4e171f3c26d
Comment 5 Sam Fowler 2018-07-06 03:24:47 UTC 
Created condor tracking bugs for this issue:

Affects: epel-all [bug 1598628]
Affects: fedora-all [bug 1598627]