CVE-2025-64185
📋 TL;DR
Open OnDemand creates world-writable directories in the GEM_PATH environment variable, allowing any user on the system to modify Ruby gem files. This affects all Open OnDemand installations prior to versions 4.0.8 and 3.1.16, potentially enabling privilege escalation or code execution.
💻 Affected Systems
- Open OnDemand
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could replace legitimate Ruby gems with malicious versions, leading to remote code execution as the Open OnDemand service account, potentially compromising the entire HPC cluster.
Likely Case
Local users could escalate privileges by modifying gem files to execute arbitrary code when Open OnDemand processes run, gaining unauthorized access to HPC resources.
If Mitigated
With proper file permissions and isolation controls, the impact is limited to unauthorized gem modifications without code execution.
🎯 Exploit Status
Exploitation requires local user access to modify files in world-writable directories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.8 or 3.1.16
Vendor Advisory: https://github.com/OSC/ondemand/security/advisories/GHSA-r2cg-hg78-gq9p
Restart Required: Yes
Instructions:
1. Update Open OnDemand to version 4.0.8 or 3.1.16. 2. Restart all Open OnDemand services. 3. Verify GEM_PATH directories no longer have world-writable permissions.
🔧 Temporary Workarounds
Remove world-writable permissions from GEM_PATH directories
linuxManually change permissions on affected directories to remove world-writable access
find /var/lib/ondemand -type d -perm -o+w -exec chmod o-w {} \;
find /opt/ood -type d -perm -o+w -exec chmod o-w {} \;
🧯 If You Can't Patch
- Isolate Open OnDemand services to dedicated systems with minimal user access
- Implement strict file integrity monitoring on GEM_PATH directories
🔍 How to Verify
Check if Vulnerable:
Check for world-writable directories in GEM_PATH: find /var/lib/ondemand /opt/ood -type d -perm -o+w 2>/dev/nullCheck Version:
ondemand --version 2>/dev/null || grep 'ood_version' /etc/ood/config/apps/*/env 2>/dev/nullVerify Fix Applied:
Verify no world-writable directories exist: find /var/lib/ondemand /opt/ood -type d -perm -o+w 2>/dev/null | wc -l (should return 0)📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to Ruby gem files
- Permission changes in GEM_PATH directories
Network Indicators:
- Unusual outbound connections from Open OnDemand services
SIEM Query:
event_type:file_modification AND path:/var/lib/ondemand/* OR path:/opt/ood/* AND user:!root