BugZero found this defect 33 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
4/18/2024
HPE Cray Supercomputing EX
HPE Cray supercomputers
No affected releases provided.
No fixed releases provided.
In palsd, multiple RPC handlers were missing a check that the RPC caller is authorized to interact with the application. This means that, given an apid and the head compute node, any user can: Hijack stdout/stderr of applications Launch commands as the application's user Transfer files to the user's application spool directory Send signals to the application
Systems using PALS versions 1.0.0-1.2.13, 1.3.0-1.3.2 are vulnerable.
To resolve the issue, upgrade PALS to version 1.2.14, 1.3.3, or newer. The USS 1.0.1 patch (release date TBD) includes PALS 1.3.4, which contains the fix. The fix adds the previously missing authorization checks. Revision History Document Version Release Date Details 2 04/17/2024 Changed Resolution information removing reference to PBS Pro 1 04/05/2024 Original release date