CVE-2025-53636
📋 TL;DR
Open OnDemand users can flood system logs by generating repeated errors through the shell app, creating excessively large log files that consume disk space and cause denial of service. This affects all Open OnDemand deployments with vulnerable versions, potentially disrupting HPC portal availability.
💻 Affected Systems
- Open OnDemand
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability due to disk exhaustion from massive log files, requiring manual cleanup and service restoration.
Likely Case
Degraded performance or temporary service interruption until logs are rotated or cleaned up.
If Mitigated
Minimal impact with proper log rotation and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated user access to generate shell errors; trivial for users with shell app permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.14 or 4.0.6
Vendor Advisory: https://github.com/OSC/ondemand/security/advisories/GHSA-x5xv-fw37-v524
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Open OnDemand to version 3.1.14 (for v3.x) or 4.0.6 (for v4.x). 3. Restart the Open OnDemand service. 4. Verify the update with version check.
🔧 Temporary Workarounds
Implement aggressive log rotation
linuxConfigure logrotate to limit log file sizes and retention periods
sudo nano /etc/logrotate.d/ondemand
Add configuration: /var/log/ondemand/*.log { daily rotate 7 compress missingok notifempty size 100M }
Restrict shell app access
linuxTemporarily disable or limit shell app functionality for non-essential users
sudo ood-portal-generator --disable-shell-app
sudo systemctl restart ondemand
🧯 If You Can't Patch
- Implement strict log monitoring and alerting for rapid log growth
- Apply filesystem quotas to log directories to prevent disk exhaustion
🔍 How to Verify
Check if Vulnerable:
Check Open OnDemand version: if below 3.1.14 (for v3.x) or 4.0.6 (for v4.x), system is vulnerable.Check Version:
ood --versionVerify Fix Applied:
Verify version is 3.1.14 or higher (v3.x) or 4.0.6 or higher (v4.x) and monitor log growth after patch.📡 Detection & Monitoring
Log Indicators:
- Rapid growth of /var/log/ondemand/*.log files
- Repeated error messages from shell app in logs
Network Indicators:
- Increased shell app activity from single user
SIEM Query:
source="/var/log/ondemand/" AND ("shell" OR "error") | stats count by src_user | where count > 1000