Login Sign Up

CVE-2021-45104

7.4 HIGH

📋 TL;DR

This vulnerability in HTCondor allows attackers who can intercept network traffic to interfere with user jobs and data. It affects HTCondor installations where network data can be captured, potentially impacting job execution and data integrity.

💻 Affected Systems

Products:
  • HTCondor
Versions: 9.0.x before 9.0.10 and 9.1.x before 9.5.1
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all HTCondor installations in vulnerable versions regardless of configuration.

📦 What is this software?

Htcondor by Wisc

View all CVEs affecting Htcondor →

Htcondor by Wisc

View all CVEs affecting Htcondor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate job execution, steal sensitive data from jobs, or cause job failures across the HTCondor cluster.

🟠

Likely Case

Attackers with network access could disrupt specific jobs or intercept job data, leading to data leakage or job failures.

🟢

If Mitigated

With proper network segmentation and encryption, impact is limited to authorized users within the protected network segment.

🌐 Internet-Facing: HIGH if HTCondor services are exposed to the internet without proper network controls.
🏢 Internal Only: MEDIUM as attackers would need internal network access, but could still impact jobs if they gain network position.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires network access to capture HTCondor traffic; no authentication bypass needed once network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.10 or 9.5.1

Vendor Advisory: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2021-0006/

Restart Required: Yes

Instructions:

1. Download HTCondor 9.0.10 or 9.5.1 from official sources. 2. Stop HTCondor services. 3. Install the updated version. 4. Restart HTCondor services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate HTCondor traffic to trusted network segments only

Enable Encryption

linux

Configure HTCondor to use encrypted communications between components

condor_config_val -set SEC_DEFAULT_ENCRYPTION = REQUIRED
condor_reconfig

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can access HTCondor network traffic
  • Monitor HTCondor network traffic for unusual patterns or unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check HTCondor version: condor_version | grep -E '9\.0\.[0-9]|9\.1\.[0-4]'

Check Version:

condor_version

Verify Fix Applied:

Verify version is 9.0.10 or higher for 9.0.x branch, or 9.5.1 or higher for 9.1.x branch

📡 Detection & Monitoring

Log Indicators:

  • Unexpected job failures
  • Unusual network connections to HTCondor ports
  • Authentication errors from unknown sources

Network Indicators:

  • Unusual traffic patterns on HTCondor ports (9618, 9614)
  • Network sniffing tools detected on HTCondor network segments

SIEM Query:

source="htcondor.log" AND (event="job_failure" OR event="authentication_error") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-45104
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-319
Published: April 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45104, you might also want to check these:

CVE-2023-33730 9.8

CVE-2023-33730 is a critical privilege escalation vulnerability in Microworld Technologies eScan Man...

Same vulnerability type (CWE-319)
CVE-2022-21829 9.8

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files o...

Same vulnerability type (CWE-319)
CVE-2020-5426 9.8

CVE-2020-5426 allows attackers to intercept UAA client tokens transmitted in plaintext over non-TLS ...

Same vulnerability type (CWE-319)