SWAMP-in-a-Box Update 1.28.2
Greetings, SWAMP-in-a-Box community.
SWAMP-in-a-Box build 1.28.2.33 is a security release addressing a privilege escalation vulnerability found in a pentest by Black Hills Infosec. We’d like to thank them for their thorough and professional work on behalf of the SWAMP project.
The vulnerability allows authenticated SWAMP users to obtain unauthorized administrative rights. At this time, we do not believe the vulnerability is known outside of the SWAMP team or being actively exploited, but we recommend SWAMP-in-a-Box deployers upgrade to this latest version as soon as possible. If you are unable to upgrade, you should disable any untrusted users as a temporary mitigation.
Additionally, we have updated the SWAMP-in-a-Box install/upgrade script to be tied to HTCondor version 8.4.11. Please contact us if you are currently running HTCondor version 8.6.0.
Packages for new installs can be found at https://github.com/mirswamp/deployment (GitHub) and https://platform.swampinabox.org/siab-latest-release/ (SWAMP read-only server).
Instructions for upgrading can be found in README-UPGRADE.md.