Jump to content
  • Announcements

    • admin

      PBS Forum Has Closed   06/12/17

      The PBS Works Support Forum is no longer active.  For PBS community-oriented questions and support, please join the discussion at http://community.pbspro.org.  Any new security advisories related to commercially-licensed products will be posted in the PBS User Area (https://secure.altair.com/UserArea/). 
Sign in to follow this  
Bill Nitzberg

SECURITY BULLETIN PBS10-02

Recommended Posts

DESCRIPTION:

Altair Engineering is releasing this advisory to customers running the PBS

Web Front-end Portal for PBS Catalyst and/or PBS Analytics to alert them to

a security vulnerability. The Red Hat JBOSS application server shipped with

the PBS Portal contains a security vulnerability related to the default admin

applications. A remote attacker who successfully exploits this vulnerability

could gain administrator access to the system running the JBOSS server.

SEVERITY RATING: Critical

RECOMMENDATION:

We recommend disabling the default admin applications shipped with JBOSS.

This will not affect PBS Portal operation, as the PBS Portal does not use these

applications. To disable the default admin applications:

1. Stop the PBS Portal

2. Locate the PBS Portal installation directory

3. Delete the vulnerable applications and temporary directories from the

installation directory

4. Restart the PBS Portal

On Linux (as root):

1. Stop the PBS Portal

# /etc/init.d/pbsportal stop

2. Locate the PBS Portal installation directory

The <INSTALL_DIR>, the directory where the PBS Portal is installed,

can be found by looking in the startup script "/etc/init.d/pbsportal".

The default installation directory in version 10.4.2 is

"/opt/gridworks/10.4.2/portal".

3. Delete the vulnerable applications and temporary directories from the

installation directory

# cd <INSTALL_DIR>/thirdparty/jboss-4.2.1.GA/server/default

# rm -rf data tmp work

# rm -rf deploy/jmx-console.war

# rm -rf deploy/jboss-web.deployer/ROOT.war

# rm -rf deploy/management/console-mgr.sar/web-console.war

4. Restart the PBS Portal

# /etc/init.d/pbsportal start

On Windows (as Administrator):

1. Stop the PBS Portal

Start->Run->services.msc, then stop the service "PBS Portal"

2. Locate the PBS Portal installation directory

The directory where the PBS Portal is installed can be found by looking

at the PBS Portal service. First, Start->Run->services.msc, then right-

click the "PBS Portal" service, and choose Properties -- the installation

directory is the first part of the path to the executable on the

"General" tab. The default in version 10.4.2 is

C:\Program Files\Gridworks\10.4.2\portal

or, on 64-bit systems

C:\Program Files (x86)\Gridworks\10.4.2\portal

3. Delete the following vulnerable applications and temporary directories

from the installation directory

thirdparty\jboss-4.2.1.GA\server\default\data

thirdparty\jboss-4.2.1.GA\server\default\tmp

thirdparty\jboss-4.2.1.GA\server\default\work

thirdparty\jboss-4.2.1.GA\server\default\deploy\jmx-console.war

thirdparty\jboss-4.2.1.GA\server\default\deploy\jboss-web.deployer\ROOT.war

thirdparty\jboss-4.2.1.GA\server\default\deploy\management\console-mgr.sar\web-console.war

4. Restart the PBS Portal

Start->Run->services.msc, then start the service "PBS Portal"

Note: if you need access to the JMX console for some other reason, Red Hat

provides official instructions to secure it at

https://access.redhat.com/kb/docs/DOC-30741.

AFFECTED SOFTWARE:

PBS Portal versions 10.0.0 through 10.4.2, which includes PBS Catalyst Web

and PBS Workload Analytics (web). Note: PBS Catalyst desktop is not

affected, nor is the PBS Professional Application Service.

SCHEDULE OF AVAILABILITY OF UPDATE:

PBS Portal version 10.4.3 is available now. This

updated version includes a fix for this issue as well as additional changes to

increase the security profile of the software. (Further, our version 11

software will no longer use JBOSS at all.)

SECURITY UPDATE:

The updates and packages are being made available to all customers running

PBS Portal software. For customers with current maintenance and support

contracts, the updates are available from the user login area of the PBS

Works website. For customers who do not have access to this area, please

see below for instructions on getting the required update. Please refer to the

included release notes and installation instructions included in each package.

INSTRUCTIONS TO OBTAIN UPDATE:

For customers with active support, please go to:

https://secure.altair.com/UserArea

log in with your site ID and password to obtain the desired packages.

For customers without active support, please send an email to your regional

support team or to:

pbssupport@altair.com

Please include the version of the PBS Portal you are running,

the operating system you are using, and the hardware/platform you are

running on. This will help us expedite your request.

Please contact your regional support team, or email pbssupport@altair.com if

you need additional information.

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×