Operational Defect Database
BugZero found this defect 33 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00138637en_us
Advisory: HPE Cray PALS Authentication Bypass
Last update date:
4/18/2024
Affected products:
HPE Cray Supercomputing EX
HPE Cray supercomputers
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
In palsd, multiple RPC handlers were missing a check that the RPC caller is authorized to interact with the application. This means that, given an apid and the head compute node, any user can: Hijack stdout/stderr of applications Launch commands as the application's user Transfer files to the user's application spool directory Send signals to the application
Scope
Systems using PALS versions 1.0.0-1.2.13, 1.3.0-1.3.2 are vulnerable.
Resolution
To resolve the issue, upgrade PALS to version 1.2.14, 1.3.3, or newer. The USS 1.0.1 patch (release date TBD) includes PALS 1.3.4, which contains the fix. The fix adds the previously missing authorization checks. Revision History Document Version Release Date Details 2 04/17/2024 Changed Resolution information removing reference to PBS Pro 1 04/05/2024 Original release date
