A high-severity vulnerability has been discovered in multiple Open products, specifically affecting the Open OnDemand platform used for web-based access to supercomputing environments. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying high-performance computing (HPC) systems, potentially leading to unauthorized data access, intellectual property theft, and disruption of critical research operations. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.

The vulnerability exists due to improper input sanitization within a component of the Open OnDemand web interface. An authenticated attacker with low-level privileges can craft a malicious HTTP request containing specially formatted commands. When the server processes this request, it fails to properly neutralize the embedded commands, leading to their execution on the host operating system with the permissions of the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 7.6. Exploitation could have severe consequences for the organization, including the compromise of sensitive research data, theft of intellectual property, and disruption of mission-critical computational workloads hosted on the supercomputer. An attacker could leverage this access to establish a persistent foothold, pivot to other connected systems within the HPC environment, or utilize the powerful computing resources for malicious purposes such as cryptocurrency mining. The potential for data breaches and operational downtime poses a significant financial and reputational risk.

Immediate Action: Apply vendor security updates immediately across all affected Open OnDemand instances. After patching, review web server and application access logs for any signs of compromise or attempted exploitation that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of the Open OnDemand environment. Specifically, security teams should look for unusual patterns in web request logs, such as unexpected characters or command syntax in URL parameters. Monitor system process logs on the host server for anomalous processes being spawned by the web server user account (e.g., nginx, apache, httpd).

Compensating Controls: If immediate patching is not feasible, consider the following controls to reduce risk:

• Implement a Web Application Firewall (WAF) with rules designed to detect and block command injection attack patterns.
• Strictly limit network access to the Open OnDemand web interface to only trusted IP addresses and authorized user groups.
• Increase the level of logging and alerting for the application to ensure any suspicious activity is detected and investigated promptly.

Public Exploit Available: false

Due to the high severity (CVSS 7.6) and the critical nature of the assets protected by Open OnDemand, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. The potential for unauthorized access to supercomputing resources and sensitive data represents an unacceptable risk. Although this CVE is not currently on the CISA KEV list, its impact makes it a prime candidate for future inclusion if widespread exploitation is observed. All remediation and monitoring actions should be treated with the highest urgency.