Skip to navigation

Security Advisory Moderate: Red Hat Enterprise MRG Grid 2.4 security update

Advisory: RHSA-2013:1295-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-10-01
Last updated on: 2013-10-01
Affected Products: Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)
CVEs (cve.mitre.org): CVE-2013-4284

Details

Updated Grid component packages that fix one security issue, multiple bugs,
and add various enhancements are now available for Red Hat Enterprise MRG
2.4 for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Red Hat Enterprise MRG (Messaging, Realtime, and Grid) is a next-generation
IT infrastructure for enterprise computing. MRG offers increased
performance, reliability, interoperability, and faster computing for
enterprise customers.

MRG Grid provides high-throughput computing and enables enterprises to
achieve higher peak computing capacity as well as improved infrastructure
utilization by leveraging their existing technology to build high
performance grids. MRG Grid provides a job-queueing mechanism, scheduling
policy, and a priority scheme, as well as resource monitoring and resource
management. Users submit their jobs to MRG Grid, where they are placed into
a queue. MRG Grid then chooses when and where to run the jobs based upon a
policy, carefully monitors their progress, and ultimately informs the user
upon completion.

A denial of service flaw was found in the way cumin, a web management
console for MRG, processed certain Ajax update queries. A remote attacker
could use this flaw to issue a specially crafted HTTP request, causing
excessive use of CPU time and memory on the system. (CVE-2013-4284)

The CVE-2013-4284 issue was discovered by Tomas Novacik of Red Hat.

These updated packages for Red Hat Enterprise Linux 5 provide numerous
enhancements and bug fixes for the Grid component of MRG. Some of the most
important enhancements include:

* Improved resource utilization with scheduler driven slot partitioning
* Enhanced integration with existing user & group management
technology, specifically allowing group and netgroup specifications in
HTCondor security policies
* Addition of global job priorities, allowing for priority to span
scaled-out queues
* Reduced memory utilization per running job

Space precludes documenting all of these changes in this advisory. Refer to
the Red Hat Enterprise MRG 2 Technical Notes document, available shortly
from the link in the References section, for information on these changes.

All users of the Grid capabilities of Red Hat Enterprise MRG are advised to
upgrade to these updated packages, which correct this issue, and fix the
bugs and add the enhancements noted in the Red Hat Enterprise MRG 2
Technical Notes.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 5)

SRPMS:
condor-7.8.9-0.5.el5_9.src.rpm     MD5: 519c429f3a7bd33306adea90540e94ee
SHA-256: 84c23ca18a838f64867e1cd5d1183aff04c0d97da5c351ba4ac2d4d6fa85335e
cumin-0.1.5786-2.el5_9.src.rpm
File outdated by:  RHSA-2013:1851
    MD5: 00ddaae50042e4a98c58d358bda3f13f
SHA-256: f2291ceb845092d2728ef31832be15d659a94947f985cdc562e5496b99f37bb9
mrg-release-2.4.0-1.el5_9.src.rpm
File outdated by:  RHSA-2014:0261
    MD5: d5f56450e73d6cc80f13f7d946256d74
SHA-256: 3dd11a07c8868efd6014679ef286289761af3acefbee73eaa289547a56a4e1ab
 
IA-32:
condor-7.8.9-0.5.el5_9.i386.rpm     MD5: 1170f9a1d09da6c6c10dcbb2ea810c53
SHA-256: 9b3a6526034b1e41887d8c8e9edff344e09f483d314b036e6a66ea1117fe5253
condor-aviary-7.8.9-0.5.el5_9.i386.rpm     MD5: f04c05f44e94b315a2225ea8b392c690
SHA-256: 84c4921a0c6de26d91d69be9f923adacee4bf68deabf012f8e24d85f0751ac25
condor-classads-7.8.9-0.5.el5_9.i386.rpm     MD5: 32c1d6e31adc3bbff5240f5fd08bc32e
SHA-256: 85ff97211449e0a82335be5dc4f18a5c4eaf0718d26966b90bfc9fb0378697d1
condor-kbdd-7.8.9-0.5.el5_9.i386.rpm     MD5: 1d2fee283a09a69baea758181ac54834
SHA-256: 40b695707ea9f6f6bc0213a255174780abd99c0379ed32c54517e8bb7ac02b15
condor-qmf-7.8.9-0.5.el5_9.i386.rpm     MD5: 7081cdf4e050c8e72cbe2568290ca3e3
SHA-256: 62bb7d2bee827ab2933ea85174bdfc599c4efd4835bc6f58810e605a4bb0bddb
condor-vm-gahp-7.8.9-0.5.el5_9.i386.rpm     MD5: ae7c91290825db76e864cec90c282b19
SHA-256: aa5c1ab5c00e3502ef2a8ff57e674502bcdd77a1a095c80ad3ed712c25fd6ddd
cumin-0.1.5786-2.el5_9.noarch.rpm
File outdated by:  RHSA-2013:1851
    MD5: b3fb59d2ae1c53236931b724e4284f99
SHA-256: 6bfbf559e93b5b65e0cebb89691eec2c734b6d6bd78e0aaabe4fb46620f11f7d
mrg-release-2.4.0-1.el5_9.noarch.rpm
File outdated by:  RHSA-2014:0261
    MD5: 51d00dd1b4255d3762ccd8b58c9b44c3
SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639
 
x86_64:
condor-7.8.9-0.5.el5_9.x86_64.rpm     MD5: 2d0628aea9862828616c8e786d0b1c5b
SHA-256: 9057a4b2229cfc3f1331e64c622221725172e74238268cdd3f87cc273a20ee96
condor-aviary-7.8.9-0.5.el5_9.x86_64.rpm     MD5: 71f273af8e01cd0730bcbf92fa9af46d
SHA-256: 796004803f6a2dc7d2e85edfdfb5014820de8fe09cdd4143ffe3cf03ed908188
condor-classads-7.8.9-0.5.el5_9.x86_64.rpm     MD5: 057bda965db329bc21e1476787b07ae9
SHA-256: e488db81d1eb18cb35bdffdca0f57ff67d010ea5699d5bc94119c590c54fe2d1
condor-kbdd-7.8.9-0.5.el5_9.x86_64.rpm     MD5: d6e2de5dfa0b454713102b66de63a5cf
SHA-256: 130c361f80ab4ce6e9379307d2cb94ac260f0af3b5960b0f40bcf35143c52187
condor-qmf-7.8.9-0.5.el5_9.x86_64.rpm     MD5: 9d9a6d6f447b93a14723ee59bfdb3605
SHA-256: 55982b6d9a1e394d3db1cf713c347a6c5305e87284114f0b7eb6102228216afb
condor-vm-gahp-7.8.9-0.5.el5_9.x86_64.rpm     MD5: 2f429262405ad18d09b82d262de5f73f
SHA-256: b387745eb1b6496a2f38430afc739d07b7cdf38a58b7aabadc37076f8159238c
cumin-0.1.5786-2.el5_9.noarch.rpm
File outdated by:  RHSA-2013:1851
    MD5: b3fb59d2ae1c53236931b724e4284f99
SHA-256: 6bfbf559e93b5b65e0cebb89691eec2c734b6d6bd78e0aaabe4fb46620f11f7d
mrg-release-2.4.0-1.el5_9.noarch.rpm
File outdated by:  RHSA-2014:0261
    MD5: 51d00dd1b4255d3762ccd8b58c9b44c3
SHA-256: bdb470d4b96adfec84a5c58aa420cd4b71b011b5a54d850e509663f7cb292639
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

986214 - CVE-2013-4284 cumin: Denial of service due to improper handling of certain Ajax requests
990231 - Grid 2.4 RHEL5


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/