[torqueusers] [torquedev] TORQUE authorization security vulnerability

David Singleton David.Singleton at anu.edu.au
Tue Aug 9 15:05:17 MDT 2011


On 08/10/2011 06:40 AM, "Mgr. Šimon Tóth" wrote:
>> I do not know how wide spread this is but there is a security vulnerability in the TORQUE authorization between client and server when using the default authorization method. Using MUNGE closes this hole but we would like to add an additional, more universal secure authorization method.
>
> There was a high risk security advisory from EGI-CSIRT, so it should be
> pretty wide spread. Our security guys were pretty shocked when I
> explained that any root on any machine (ignoring the ACL which we are
> using of course) has full access to the server. :-D

Hmmm, I guess the details are being kept undisclosed?  How does a site
find out if it is an issue for them?

David



More information about the torqueusers mailing list