Security Vulnerabilities in PBS Pro
PBS Professional security updates are primarily made available as minor version patches. We recommend using the latest minor version available, as it will likely also contain other non-security-related fixes. All known critical and high security issues are always fixed in the next major release, when it comes out.
List of Security Vulnerabilities
Vulnerabilities list the major releases that are affected and the versions where they were resolved. If the vulnerability was exploitable without a valid login, this is also stated. We also will classify the vulnerability, but we urge all users to read the description to determine if the bug affects specific installations or not. The following table lists all known security issues and their status. Please note that this table starts at PBS Professional version 14.
(If the above table is empty, no vulnerabilities have been reported.)
Reporting a Security Vulnerability
To report a new security vulnerability, please file a ticket at http://pbspro.atlassian.net/.
Responding to a Security Vulnerability
- Community is notified of the vulnerability by a ticket being filed
- Once the severity has been determined, the community will
- Create a sub-page of this page, containing a description of the vulnerability
- Communicate on the description page
- Post findings on the pbspro.org forum
- Send a notice to CERT (CVE bulletin) if the severity vulnerability is deemed critical
- Patches for the current and previous version may be released
Describing a Security Vulnerability
When describing a security vulnerability, please include the following information:
- Description of the Vulnerability
- Severity Rating
- Recommendation
- Affected Software
- Schedule of Availability of Update
- Security Update
- Instructions to Obtain Update
For example:
DESCRIPTION: This advisory to users running PBS Professional is to alert them to a security vulnerability. This is a privilege escalation vulnerability that potentially affects all users. An attacker who successfully exploits this vulnerability could gain administrator privilege (root access) on PBS server (aka headnode) hosts. The attacker would need to be an authenticated user authorized to submit jobs on the cluster. SEVERITY RATING: Critical RECOMMENDATION: We recommend that all users running their PBS Professional server on a Linux and/or Unix based OS apply this update in a timely fashion. AFFECTED SOFTWARE: All currently released Linux and Unix versions of PBS Professional SCHEDULE OF AVAILABILITY OF UPDATE: PBS Professional patch is applicable to all affected releases 10.x and newer (attached to this bulletin) PBS Professional 12.2.0 (available Dec 2013) NOTE: We advise users running any 10.x or prior release upgrade to at least v10.4.7. SECURITY UPDATE: The updates and packages are being made available to all users running PBS Professional software. Please refer to the release notes and installation instructions included in each package. INSTRUCTIONS TO OBTAIN UPDATE: Updates are available through the normal PBS Professional release mechanisms.