PAM 3.2.x and 3.3.0 servers with Windows Remote target connector configured to manage passwords on Windows servers.

There is a potential problem on the PAM server when the Windows Remote target connector runs into problems while communicating with a target device to verify or update account passwords. In rare cases this can leave behind a looping process that takes up all available time on one CPU. Even a cluster restart will not terminate these hung processes. With time there may be multiple of these processes running. E.g. 5 looping processes on a PAM server with 8 CPUs will results in a steady CPU usage of 60+ percent. If scheduled jobs are used to rotate passwords of Windows accounts on a regular basis, a single target account using the Windows Remote connector could be responsible for all looping processes.

A PAM server reboot will resolve the problem.

If this is a production node and you cannot restart the server any time soon, you can engage PAM support to kill the problem processes during a WebEx session with SSH access to the PAM server. This requires an SSH debug patch to be applied, a PAM admin has to enable SSH access, and firewall rules need to allow SSH access to PAM from a laptop/desktop that can run a PuTTY SSH client.

The defect is resolved with 3.3.1 PAM.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-access-manager/3-3-1/release-information/resolved-issues-in-3-3_1.html