bullx cluster suite

Altair Engineering is releasing this advisory to customers running PBS Professional to alert
them to a security vulnerability. This vulnerability affects customers whose network policies
allow arbitrary systems to directly connect to the PBS Server. An attacker who successfully
exploits this vulnerability could gain administrator privilege (root access) on PBS execution
hosts. To the best of our knowledge, this vulnerability is not publicly known.

SEVERITY RATING:
Critical

RECOMMENDATION:
Altair recommends that customers who allow arbitrary systems to have direct network
access to the PBS Server system, apply this update in a timely fashion. Alternatively,
using firewall software to lock down network access, allowing only authorized hosts to
connect to the PBS Server system, will also prevent an attacker from exploiting this
vulnerability.

AFFECTED SOFTWARE:
All versions of PBS Professional except patched versions listed below:

PBS Professional 11.x Available now as v11.0.2
PBS Professional 10.x.x Available now as v10.4.5

NOTE: Altair advises customers running any 10.x release who believe they may be
vulnerable to this attack to upgrade to at least v10.4.5.

SECURITY UPDATE:
The updates and packages are being made available to all customers running PBS
Professional software.

INSTRUCTIONS TO OBTAIN UPDATE:
For customers with active support, please go to:
http://www.pbspro.com/UserArea/
log in with your site ID and password to obtain the desired packages.

For customers without active support the fix package PBSPro 10.4.5 is attached to this advisory.

INSTALLATION INSTRUCTIONS:

It is recommended to refer to the release notes and installation instructions
included in each package. It is also recommended to follow instructions given in PBS Professional Guide Reference 86A216FE00 chapter 3 "Upgrading to bullx cluster suite XR 5v3.1U2"

For any problems please contact the Hotline at srv.hot-line-hpc@bull.net