Executive Summary

This vulnerability exists in Open XDMoD prior to version 11.0.3 and involves a flaw in the access control logic. An attacker can submit a specially crafted HTTPS POST request that sets a session variable used for authorization decisions.

If the optional Job Performance (SUPReMM) module is installed, this flaw allows the attacker to bypass intended data access restrictions and view other users' compute job efficiency metrics.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is on confidentiality. An attacker with network access and low privileges can exploit this flaw to gain unauthorized access to sensitive data, specifically other users' compute job efficiency metrics.

This could lead to exposure of sensitive performance data that was intended to be restricted, potentially compromising privacy and competitive information within HPC environments.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an attacker submitting a crafted HTTPS POST request that sets a session variable used for authorization decisions in Open XDMoD installations with the optional Job Performance (SUPReMM) module.

To detect this vulnerability on your network or system, you should monitor HTTPS POST requests to the Open XDMoD server for unusual or crafted session variable manipulations, especially those targeting authorization mechanisms.

Specific commands are not provided in the available resources. However, general approaches could include inspecting web server logs for suspicious POST requests, using network monitoring tools like Wireshark or tcpdump to capture HTTPS traffic (if decrypted), or employing web application firewalls (WAF) to detect anomalous POST requests.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to upgrade Open XDMoD to version 11.0.3 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, a manual patch can be applied as a temporary workaround. This patch removes certain PHP files and restricts operations to users with the STATUS_MANAGER_ROLE privilege, thereby enforcing stricter role-based access control.

Additionally, monitoring and restricting access to the affected modules and ensuring that only authorized users have access can help reduce risk until the patch or upgrade is applied.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to bypass intended data access restrictions and view other users' compute job efficiency metrics, impacting the confidentiality of sensitive data.

Unauthorized access to sensitive user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Therefore, if exploited, this vulnerability could result in violations of these standards by exposing protected data to unauthorized parties.

Useful 0 Not Useful 0