Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.
What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. What do customers need to do to mitigate this vulnerability? Customers should install the latest security update for HPC Pack 2019 Update 3 on affected systems. Microsoft has released HPC Pack 2019 Update 3 Fixes (Build 6.3.8355), which includes all previously released fixes for this vulnerability. Customers running HPC Pack 2019 Update 3 can apply this update directly, regardless of whether earlier fixes were installed. Customers using earlier versions of HPC Pack must first upgrade to HPC Pack 2019 Update 3 (Build 6.3.8328) before applying the fix. HPC Pack 2016 is not supported for this update; customers using that version must migrate to HPC Pack 2019 Update 3 to be protected. This update applies only to head nodes and updates a limited set of binaries related to the HPC Scheduler and Management services. Other node types are not affected and do not require action. Is a fix available for HPC Pack 2016? No. There are no QFE updates available for HPC Pack 2016. Customers using HPC Pack 2016 must migrate to HPC Pack 2019 Update 3 and then apply the available QFE to receive the fix. Do I need to apply the QFE to all nodes in an HPC Pack cluster? No. The QFE only needs to be applied to the head nodes of the HPC Pack cluster. Compute nodes are not affected and do not require the update.
Long Zhang, Long Zhang