Release date:
Updated on:
Affected Systems:
Cluster Resources Torque 3.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 49119
CVE (CAN) ID: CVE-2011-2907
TORQUE Resource Manager provides control over batch processing jobs and distributed computing resources.
Torque has a Security Restriction Bypass Vulnerability. Remote attackers can exploit this vulnerability to bypass certain security restrictions and perform illegal operations on OAM users.
During the authorization process, the Torque server depends on the data provided by the "qsub" client. Qsub provides the submit host name to the server, which can be used by the server for authentication requests.
<* Source: Bartlomiej
Link: https://bugzilla.redhat.com/show_bug.cgi? Id = 713090
Http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Cluster Resources
-----------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.clusterresources.com/pages/products/torque-resource-manager.php