Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Update 26th January 2012 - fix for gLite 3.2 released on 24th January.

** White information - Unlimited distribution allowed            **  
** see for distribution restrictions **


Title:        High Risk - Torque Munge Impersonation vulnerability

Date:         2011-12-21
Updated:      2012-01-24



A vulnerability has been found in Torque which may allow users to impersonate other users.

This has been fixed in the version of Torque in EPEL, and it is recommended that sites 
using EMI and UMD upgrade to a fixed version of Torque from the EPEL site.

This advisory has been updated as a fixed version of Torque is now available in gLite 3.2.


Torque server does not properly check user credentials in the case where Munge is present.
In some situations one user may be able to impersonate another user and perform actions 
inlcuding submitting a job. 

Full details of the vulnerability are now available on the RedHat Bugzilla
[R 1]

Risk Category

This issue has been assessed as 'High'  risk by the  EGI SVG Risk Assessment Team.   

Affected Software

For EPEL, versions of Torque in EPEL prior to:


may be affected.  

Component Installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distrbution (UMD).

A patch is now available from RedHat EPEL this is appropriate for use of sites installing
from the EGI UMD and sites installing directly from the EMI distribution. 

They are detailed fully in the release notes:

A patch is also available for sites installing from gLite 3.2

gLite 3.2:

gLite 3.2 Security Update 2

It should be noted that the above versions require Munge [R2], both on the WN for the torque-client as well as the server. 

Some notes on Munge installation and configuration (from EPEL5 earlier version of Torque):

The updated EPEL5 build of torque-2.5.7-1 and later as compared to previous versions 
enables munge as an inter node authentication method.

It is highly advisable that prior to upgrading to version 2.5.7-1 or later of this 
torque package that munge is installed and enabled. A munge package is available 
within EPEL5.

To enable munge on your torque cluster:

  * Install the munge package on your pbs_server and submission hosts in your

  * On one host generate a key with /usr/sbin/create-munge-key

  * Copy the key, /etc/munge/munge.key to your pbs_server and submission hosts
    on your cluster.

  * Start the munge daemon on these nodes.. service munge start && chkconfig
    munge on


It is recommended that sites installing from EMI or the EGI UMD update Torque from 
the Redhat EPEL site as soon as possible if they have not done so already.

Sites installing gLite 3.2 should update as soon as possible from if they did not update from:


This vulnerability was reported by Adam Smutnicki and Lukasz Flis 


[R 1]
[R 2]


2011-11-03 Vulnerability reported by Adam Smutnicki and Lukasz Flis
2011-11-03 Acknowledgement from the EGI SVG to the reporter
2011-11-08 Risk Assessment complete and Issue reported as EPEL bug.
2011-12-20 Patch available from EPEL
2011-12-21 Advisory released to community
2012-01-24 gLite 3.2 update available, advisory released publicly

For the EGI SVG,