Jump to content
  • Announcements

    • admin

      PBS Forum Has Closed   06/12/17

      The PBS Works Support Forum is no longer active.  For PBS community-oriented questions and support, please join the discussion at http://community.pbspro.org.  Any new security advisories related to commercially-licensed products will be posted in the PBS User Area (https://secure.altair.com/UserArea/). 

Bill Nitzberg

Moderators
  • Content count

    3
  • Joined

  • Last visited

About Bill Nitzberg

  • Rank
    Newbie

Profile Information

  • Gender
    Not Telling
  1. SECURITY BULLETIN PBS11-01

    DESCRIPTION: Altair Engineering is releasing this advisory to customers running PBS Professional to alert them to a security vulnerability. This vulnerability affects customers whose network policies allow arbitrary systems to directly connect to the PBS Server. An attacker who successfully exploits this vulnerability could gain administrator privilege (root access) on PBS execution hosts. To the best of our knowledge, this vulnerability is not publicly known. SEVERITY RATING: Critical RECOMMENDATION: Altair recommends that customers who allow arbitrary systems to have direct network access to the PBS Server system, apply this update in a timely fashion. Alternatively, using firewall software to lock down network access, allowing only authorized hosts to connect to the PBS Server system, will also prevent an attacker from exploiting this vulnerability. AFFECTED SOFTWARE: All versions of PBS Professional except patched versions listed below. SCHEDULE OF AVAILABILITY OF UPDATE: PBS Professional 11.0 Available now as 11.0.2 PBS Professional 10.4 Available now as 10.4.5 PBS Professional 10.2 Available now as 10.2.1 PBS Professional 10.1 Available now as 10.1.7 PBS Professional 10.0 Available now as 10.0.9 NOTE: Altair advises customers running any 10.x release who believe they may be vulnerable to this attack to upgrade to at least v10.4.5. SECURITY UPDATE: The updates and packages are being made available to all customers running PBS Professional software. For customers with current maintenance and support contracts, the updates are available from the user login area of the PBS Professional website. For customers who do not have access to this area, please see below for instructions on getting the required update. Please refer to the release notes and installation instructions included in each package. INSTRUCTIONS TO OBTAIN UPDATE: For customers with active support, please go to: />http://www.pbspro.com/UserArea/ log in with your site ID and password to obtain the desired packages. For customers without active support, please send an email to: pbssupport@altair.com Please include the version of PBS Professional you are running, the operating system you are using, and the hardware/platform you are running on. This will help us expedite your request. Please contact pbssupport@altair.com if you need additional information.
  2. SECURITY BULLETIN PBS10-02

    DESCRIPTION: Altair Engineering is releasing this advisory to customers running the PBS Web Front-end Portal for PBS Catalyst and/or PBS Analytics to alert them to a security vulnerability. The Red Hat JBOSS application server shipped with the PBS Portal contains a security vulnerability related to the default admin applications. A remote attacker who successfully exploits this vulnerability could gain administrator access to the system running the JBOSS server. SEVERITY RATING: Critical RECOMMENDATION: We recommend disabling the default admin applications shipped with JBOSS. This will not affect PBS Portal operation, as the PBS Portal does not use these applications. To disable the default admin applications: 1. Stop the PBS Portal 2. Locate the PBS Portal installation directory 3. Delete the vulnerable applications and temporary directories from the installation directory 4. Restart the PBS Portal On Linux (as root): 1. Stop the PBS Portal # /etc/init.d/pbsportal stop 2. Locate the PBS Portal installation directory The <INSTALL_DIR>, the directory where the PBS Portal is installed, can be found by looking in the startup script "/etc/init.d/pbsportal". The default installation directory in version 10.4.2 is "/opt/gridworks/10.4.2/portal". 3. Delete the vulnerable applications and temporary directories from the installation directory # cd <INSTALL_DIR>/thirdparty/jboss-4.2.1.GA/server/default # rm -rf data tmp work # rm -rf deploy/jmx-console.war # rm -rf deploy/jboss-web.deployer/ROOT.war # rm -rf deploy/management/console-mgr.sar/web-console.war 4. Restart the PBS Portal # /etc/init.d/pbsportal start On Windows (as Administrator): 1. Stop the PBS Portal Start->Run->services.msc, then stop the service "PBS Portal" 2. Locate the PBS Portal installation directory The directory where the PBS Portal is installed can be found by looking at the PBS Portal service. First, Start->Run->services.msc, then right- click the "PBS Portal" service, and choose Properties -- the installation directory is the first part of the path to the executable on the "General" tab. The default in version 10.4.2 is C:\Program Files\Gridworks\10.4.2\portal or, on 64-bit systems C:\Program Files (x86)\Gridworks\10.4.2\portal 3. Delete the following vulnerable applications and temporary directories from the installation directory thirdparty\jboss-4.2.1.GA\server\default\data thirdparty\jboss-4.2.1.GA\server\default\tmp thirdparty\jboss-4.2.1.GA\server\default\work thirdparty\jboss-4.2.1.GA\server\default\deploy\jmx-console.war thirdparty\jboss-4.2.1.GA\server\default\deploy\jboss-web.deployer\ROOT.war thirdparty\jboss-4.2.1.GA\server\default\deploy\management\console-mgr.sar\web-console.war 4. Restart the PBS Portal Start->Run->services.msc, then start the service "PBS Portal" Note: if you need access to the JMX console for some other reason, Red Hat provides official instructions to secure it at https://access.redhat.com/kb/docs/DOC-30741. AFFECTED SOFTWARE: PBS Portal versions 10.0.0 through 10.4.2, which includes PBS Catalyst Web and PBS Workload Analytics (web). Note: PBS Catalyst desktop is not affected, nor is the PBS Professional Application Service. SCHEDULE OF AVAILABILITY OF UPDATE: PBS Portal version 10.4.3 is available now. This updated version includes a fix for this issue as well as additional changes to increase the security profile of the software. (Further, our version 11 software will no longer use JBOSS at all.) SECURITY UPDATE: The updates and packages are being made available to all customers running PBS Portal software. For customers with current maintenance and support contracts, the updates are available from the user login area of the PBS Works website. For customers who do not have access to this area, please see below for instructions on getting the required update. Please refer to the included release notes and installation instructions included in each package. INSTRUCTIONS TO OBTAIN UPDATE: For customers with active support, please go to: https://secure.altair.com/UserArea log in with your site ID and password to obtain the desired packages. For customers without active support, please send an email to your regional support team or to: pbssupport@altair.com Please include the version of the PBS Portal you are running, the operating system you are using, and the hardware/platform you are running on. This will help us expedite your request. Please contact your regional support team, or email pbssupport@altair.com if you need additional information.
  3. Security Bulletin PBS10-01

    DESCRIPTION: Altair Engineering is releasing this advisory to customers running PBS Professional to alert them to a security vulnerability. This vulnerability only affects customers who supply user passwords on the command line via “qsub –Wpwd=<password>”. To the best of our knowledge, this vulnerability is not publicly known at this time. An attacker who successfully exploits this vulnerability could gain access to a PBS user’s password on the system or systems running PBS Professional, thus allowing the attacker to perform actions as that user. SEVERITY RATING: Major RECOMMENDATION: Although we do not view this vulnerability as Critical, we take security very seriously, and recommend that customers who find themselves vulnerable to this defect, that is, those using the “qsub –W pwd=<password>” command, apply this update in a timely fashion. AFFECTED SOFTWARE: PBS Professional Versions: Only 10.1.x versions of PBS Professional SCHEDULE OF AVAILABILITY OF UPDATE: The following summarizes the availability of updates for various versions of PBS Professional: PBS Professional 10.1 Available Now as v10.1.6 PBS Professional 10.2 Available Now as v10.2 SECURITY UPDATE: The following updates and packages are being made available to all customers running PBS Professional software. For customers with current maintenance and support contracts, the updates are available from the user login area of the PBS Professional website. For customers who do not have access to this area, please see below for instructions on getting the required update. Please refer to the included release notes and installation instructions included in each package. INSTRUCTIONS TO OBTAIN UPDATE: For customers with active support, please go to: http://www.pbspro.com/UserArea/ log in with your site ID and password to obtain the desired packages. For customers without active support, please send an email to: pbssupport@altair.com Please include the version of PBS Professional you are running, the operating system you are using, and the hardware/platform you are running on. This will help us expedite your request. Please contact pbssupport@altair.com if you need additional information.
×