https://wiki.egi.eu/w/api.php?action=feedcontributions&user=Cornwall&feedformat=atomEGIWiki - User contributions [en]2024-03-29T01:52:38ZUser contributionsMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-4034&diff=113832SVG:Advisory-SVG-CVE-2021-40342022-02-10T10:41:48Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] **UPDATE ** CRITICAL risk - <br />
Local privilege escalation vulnerability on polkit's pkexec utility. [EGI-SVG-CVE-2021-4034] <br />
<br />
Date: 2022-01-26<br />
Updated: 2022-01-26<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning polkit<br />
<br />
Package : Polkit<br />
CVE ID : CVE-2021-4034<br />
Bug ID : Bugzilla 2025869<br />
<br />
<br />
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid <br />
tool designed to allow unprivileged users to run commands as privileged users according predefined policies. <br />
The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to <br />
execute environment variables as commands. An attacker can leverage this by crafting environment variables <br />
in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can <br />
cause a local privilege escalation given unprivileged users administrative rights on the target machine. [R 1], [R 2], [R 3]<br />
<br />
**UPDATE 2022-01-26 ** <br />
<br />
To clarify RedHat 6, RedHat 7 are affected as well as RedHat 8. [R 1]<br />
<br />
Updates are now available for Scientific Linux and CentOS<br />
<br />
Sites are recommended to check for updates for any other Linux distributions they are using.<br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites are required to urgently install a new version, or carry out mitigation.<br />
<br />
All running resources MUST be either patched or have mitigation<br />
in place or software removed by 2022-02-03 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites running RHEL should see [R 1], [R 2]<br />
<br />
Sites running CentOS should also see [R 1], [R 2] <br />
<br />
**UPDATE 2022-01-26 Updates for CentOS7 have been made, but are not in all mirrors yet at time of writing**<br />
<br />
Sites running Debian should see [R 4]<br />
<br />
Sites running Ubuntu should see [R 5]<br />
<br />
Sites running Almalinux should see [R 6], [R 7]<br />
<br />
Sites running RockyLinux should see [R 8] <br />
<br />
Sites running Scientific Linux should see [R 9]<br />
<br />
**UPDATE 2022-01-26 Updates Scientific Linux are now available**<br />
<br />
Mitigation<br />
==========<br />
<br />
Detailed mitigation steps are provided by RedHat - [R 1]<br />
<br />
Another temporary mitigation is to remove the setuid bit from /usr/bin/pkexec -<br />
<br />
chmod u-s /usr/bin/pkexec<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
See [R 1]<br />
<br />
<br />
More information<br />
================<br />
<br />
A public exploit has been released. It is fairly trivial to exploit this vulnerability. <br />
<br />
**UPDATE 2022-01-26 Including to clarify that RedHat 7 is affected, as well as RedHat 8- in the previous <br />
version it mentioned RedHat 8 in the Component installation information, which was an error. Apologies. **<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol for distribution restrictions ** <br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 99]. <br />
<br />
Note that this is undergoing revision.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/security/cve/CVE-2021-4034<br />
<br />
[R 2] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001<br />
<br />
[R 3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt<br />
<br />
[R 4] https://security-tracker.debian.org/tracker/CVE-2021-4034<br />
<br />
[R 5] https://ubuntu.com/security/CVE-2021-4034<br />
<br />
[R 6] https://errata.almalinux.org/<br />
<br />
[R 7] https://errata.almalinux.org/8/ALSA-2022-0267.html<br />
<br />
[R 8] https://errata.rockylinux.org/<br />
<br />
[R 9] https://www.scientificlinux.org/category/sl-errata/<br />
<br />
<br />
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Vincent Brillault<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2022-CVE-2021-4034] <br />
<br />
2022-01-26 SVG alerted to this issue by Vincent Brillault<br />
2022-01-26 Acknowledgement from the EGI SVG to the reporter<br />
2022-01-26 EGI SVG Risk Assessment completed <br />
2022-01-26 Advisory sent to sites<br />
2022-01-26 Advisory updated - to clarify RedHat 6, 7 and 8 are all affected, and more linux releases to fix this.<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 99] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure. <br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-4034&diff=113831SVG:Advisory-SVG-CVE-2021-40342022-02-10T10:12:59Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:AMBER] **UPDATE ** CRITICAL risk - Local privilege escalation vulnerability on polkit's pkexec utility. [EGI-SVG-CVE-2021-4034] Date: 2022-01-26 Updated: 2022-01-26 Affected software and risk ========================== CRITICAL risk vulnerability concerning polkit Package : Polkit CVE ID : CVE-2021-4034 Bug ID : Bugzilla 2025869 A local privilege escalation vulnerability was f..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:AMBER] **UPDATE ** CRITICAL risk - <br />
Local privilege escalation vulnerability on polkit's pkexec utility. [EGI-SVG-CVE-2021-4034] <br />
<br />
Date: 2022-01-26<br />
Updated: 2022-01-26<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning polkit<br />
<br />
Package : Polkit<br />
CVE ID : CVE-2021-4034<br />
Bug ID : Bugzilla 2025869<br />
<br />
<br />
A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid <br />
tool designed to allow unprivileged users to run commands as privileged users according predefined policies. <br />
The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to <br />
execute environment variables as commands. An attacker can leverage this by crafting environment variables <br />
in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can <br />
cause a local privilege escalation given unprivileged users administrative rights on the target machine. [R 1], [R 2], [R 3]<br />
<br />
**UPDATE 2022-01-26 ** <br />
<br />
To clarify RedHat 6, RedHat 7 are affected as well as RedHat 8. [R 1]<br />
<br />
Updates are now available for Scientific Linux and CentOS<br />
<br />
Sites are recommended to check for updates for any other Linux distributions they are using.<br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites are required to urgently install a new version, or carry out mitigation.<br />
<br />
All running resources MUST be either patched or have mitigation<br />
in place or software removed by 2022-02-03 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites running RHEL should see [R 1], [R 2]<br />
<br />
Sites running CentOS should also see [R 1], [R 2] <br />
<br />
**UPDATE 2022-01-26 Updates for CentOS7 have been made, but are not in all mirrors yet at time of writing**<br />
<br />
Sites running Debian should see [R 4]<br />
<br />
Sites running Ubuntu should see [R 5]<br />
<br />
Sites running Almalinux should see [R 6], [R 7]<br />
<br />
Sites running RockyLinux should see [R 8] <br />
<br />
Sites running Scientific Linux should see [R 9]<br />
<br />
**UPDATE 2022-01-26 Updates Scientific Linux are now available**<br />
<br />
Mitigation<br />
==========<br />
<br />
Detailed mitigation steps are provided by RedHat - [R 1]<br />
<br />
Another temporary mitigation is to remove the setuid bit from /usr/bin/pkexec -<br />
<br />
chmod u-s /usr/bin/pkexec<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
See [R 1]<br />
<br />
<br />
More information<br />
================<br />
<br />
A public exploit has been released. It is fairly trivial to exploit this vulnerability. <br />
<br />
**UPDATE 2022-01-26 Including to clarify that RedHat 7 is affected, as well as RedHat 8- in the previous <br />
version it mentioned RedHat 8 in the Component installation information, which was an error. Apologies. **<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** AMBER information - Limited distribution <br />
- see https://confluence.egi.eu/display/EGIG/Traffic+Light+Protocol for distribution restrictions ** <br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 99]. <br />
<br />
Note that this is undergoing revision.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/security/cve/CVE-2021-4034<br />
<br />
[R 2] https://access.redhat.com/security/vulnerabilities/RHSB-2022-001<br />
<br />
[R 3] https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt<br />
<br />
[R 4] https://security-tracker.debian.org/tracker/CVE-2021-4034<br />
<br />
[R 5] https://ubuntu.com/security/CVE-2021-4034<br />
<br />
[R 6] https://errata.almalinux.org/<br />
<br />
[R 7] https://errata.almalinux.org/8/ALSA-2022-0267.html<br />
<br />
[R 8] https://errata.rockylinux.org/<br />
<br />
[R 9] https://www.scientificlinux.org/category/sl-errata/<br />
<br />
<br />
[R 99] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Vincent Brillault<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2022-CVE-2021-4034] <br />
<br />
2022-01-26 SVG alerted to this issue by Vincent Brillault<br />
2022-01-26 Acknowledgement from the EGI SVG to the reporter<br />
2022-01-26 EGI SVG Risk Assessment completed <br />
2022-01-26 Advisory sent to sites<br />
2022-01-26 Advisory updated - to clarify RedHat 6, 7 and 8 are all affected, and more linux releases to fix this.<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 99] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure. <br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113425SVG:Advisories2021-10-12T16:33:02Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-09-10, updated 2021-10-12|| use-after-free privilege escalation vulnerability in linux kernel - CVE-2021-3715<br />
|| [[SVG:Advisory-SVG-CVE-2021-3715| Advisory-SVG-CVE-2021-3715]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-07-22, updated 2021-07-28, 2021-08-26, 2021-10-06 || Sequoia Privilege escalation in Linux file system CVE-2021-33909<br />
|| [[SVG:Advisory-SVG-CVE-2021-33909| Advisory-SVG-CVE-2021-33909]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-28, updated 2021-08-12, 2021-08-18, 2021-09-01, 2021-10-06 || Linux kernel vulnerability affecting RHEL/CentOS 8 and derivatives - CVE-2021-22555<br />
|| [[SVG:Advisory-SVG-CVE-2021-22555| Advisory-SVG-CVE-2021-22555]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-08-17, updated 2021-09-07 || Remote Code execution in JupyterLab and Jupyter Notebook CVE-2021–32797 and CVE-2021–32798<br />
|| [[SVG:Advisory-SVG-CVE-2021-32798| Advisory-SVG-CVE-2021-32798]] || Up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-29, updated 2021-08-03 2021-09-07 || 2 HTCondor Security Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2021-17304| Advisory-SVG-2021-17304]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-06-16, updated 2021-06-30 || polkit vulnerability - RHEL/CentOS 8 and derivatives<br />
|| [[SVG:Advisory-SVG-CVE-2021-3560| Advisory-SVG-CVE-2021-3560]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-3715&diff=113424SVG:Advisory-SVG-CVE-2021-37152021-10-12T16:30:52Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk use-after-free privilege escalation vulnerability in linux kernel [EGI-SVG-CVE-2021-3..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk use-after-free privilege <br />
escalation vulnerability in linux kernel [EGI-SVG-CVE-2021-3715] <br />
<br />
Date: 2021-09-10<br />
Updated: 2021-10-12 <br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning the Linux kernel's Traffic Control networking subsystem. <br />
<br />
Package : Linux kernel<br />
CVE ID : CVE-2021-3715<br />
Bug ID : 1993988<br />
<br />
A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking <br />
subsystem in the way it handled changing of classification filters, leading to a use-after-free condition. <br />
This flaw allows unprivileged local users to escalate their privileges on the system. The highest threat <br />
from this vulnerability is to confidentiality, integrity, as well as system availability. [R 1]<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites which do NOT have recommended mitigation already in place (see below) which has previously been recommended <br />
in order to mitigate and reduce the risk from various vulnerabilities should update as soon as possible. <br />
<br />
Other sites should update as soon as is convenient. <br />
<br />
Component installation information<br />
==================================<br />
<br />
Note that at present patches are available for RHEL 7 and derivatives, but not yet for RHEL 8 and derivatives.<br />
<br />
Sites running RHEL 8 and RHEL 7 should see [R 1]<br />
<br />
Sites running CentOS should also see [R 1]<br />
<br />
Sites running Debian should see [R 2] <br />
<br />
Sites running Ubuntu should see [R 3]<br />
<br />
Sites running Scientific Linux should see [R 4]<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
Mitigation is possible by disabling unprivileged _network_ namespaces.<br />
<br />
In general, we recommend unprivileged _network_ namespaces are disabled, if they are not required. <br />
<br />
Note that this works for Singularity [R 5], thus allowing unprivileged user namespaces to be <br />
kept enabled for Singularity. <br />
<br />
However, please note that on RHEL/CentOS 8 and derivatives, there are a few system services that by default <br />
expect network namespaces to work: please check [R 5] for further information.<br />
<br />
<br />
More information<br />
================<br />
<br />
The EGI Software Vulnerability Group considers this vulnerability 'HIGH' risk if <br />
unprivileged _network_ namespaces are NOT disabled. <br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-3715 <br />
<br />
Minor updates may be made without re-distribution to the sites.<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6]. <br />
<br />
Note that this is undergoing revision.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/security/cve/CVE-2021-3715 <br />
<br />
[R 2] https://security-tracker.debian.org/tracker/CVE-2021-3715<br />
<br />
[R 3] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3715<br />
<br />
[R 4] https://scientificlinux.org/category/sl-errata/slsa-20213438-1/<br />
<br />
[R 5] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity<br />
<br />
[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Mischa Salle<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-3715] <br />
<br />
2021-09-09 SVG alerted to this issue by Mischa Salle<br />
2021-09-09 Acknowledgement from the EGI SVG to the reporter<br />
2021-09-09 Investigation of vulnerability and relevance to EGI carried out by EGI SVG<br />
2021-09-10 EGI SVG Risk Assessment completed<br />
2021-09-10 Advisory sent to sites<br />
2021-10-12 Advisory placed on SVG wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, <br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending <br />
on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the <br />
increasing inhomogeneity of the EGI infrastructure. <br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113383SVG:Advisories2021-10-06T11:18:07Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-07-22, updated 2021-07-28, 2021-08-26, 2021-10-06 || Sequoia Privilege escalation in Linux file system CVE-2021-33909<br />
|| [[SVG:Advisory-SVG-CVE-2021-33909| Advisory-SVG-CVE-2021-33909]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-28, updated 2021-08-12, 2021-08-18, 2021-09-01, 2021-10-06 || Linux kernel vulnerability affecting RHEL/CentOS 8 and derivatives - CVE-2021-22555<br />
|| [[SVG:Advisory-SVG-CVE-2021-22555| Advisory-SVG-CVE-2021-22555]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-08-17, updated 2021-09-07 || Remote Code execution in JupyterLab and Jupyter Notebook CVE-2021–32797 and CVE-2021–32798<br />
|| [[SVG:Advisory-SVG-CVE-2021-32798| Advisory-SVG-CVE-2021-32798]] || Up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-29, updated 2021-08-03 2021-09-07 || 2 HTCondor Security Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2021-17304| Advisory-SVG-2021-17304]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-06-16, updated 2021-06-30 || polkit vulnerability - RHEL/CentOS 8 and derivatives<br />
|| [[SVG:Advisory-SVG-CVE-2021-3560| Advisory-SVG-CVE-2021-3560]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-33909&diff=113382SVG:Advisory-SVG-CVE-2021-339092021-10-06T10:44:14Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Sequoia Privilege escalation in Linux file system CVE-2021-33909 [EGI-SVG-CVE-..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Sequoia Privilege escalation in <br />
Linux file system CVE-2021-33909 [EGI-SVG-CVE-2021-33909]<br />
<br />
Date: 2021-07-22<br />
Updated: 2021-07-28, 2021-08-26, 2021-10-06<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
**UPDATE 2021-08-26 - Qualys have announced that their exploit has been released therefore the risk <br />
for this vulnerability has been raised to CRITICAL** [R 10] <br />
<br />
CRITICAL risk vulnerability concerning the Linux kernel file system<br />
<br />
Package : Linux kernel<br />
CVE ID : CVE-2021-33909<br />
<br />
A vulnerability has been reported which may allow unprivileged users to gain root access, <br />
via the crafting of a long path name in the file system. [R 1], [R 2], [R 3], [R 4]. [R 5]<br />
<br />
**UPDATE 2021-07-28 - updated kernel version now available for Scientific Linux [R 9]<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
All running resources MUST be patched by 2021-09-03 00:00 UTC if they are not already. <br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
For information related to RedHat see [R 3]<br />
<br />
For information related to Debian see [R 6]<br />
<br />
For information related to Ubuntu see [R 7] <br />
<br />
Note for CentOS a fixed version of the kernel is in the repository, but has not been announced.<br />
<br />
**UPDATE 2021-07-27 **<br />
<br />
For information related to Scientific Linux see [R 9]<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
No mitigation for the vulnerability has been identified by RedHat.<br />
<br />
No mitigation has been proposed which does not seriously impact the usability for WLCG and related VOs.<br />
<br />
More information<br />
================<br />
<br />
See the Qualys Security Advisory [R 5] for further details.<br />
<br />
This can be exploited through unprivileged local users via a combination of unprivileged user namespaces and fusermount.<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution<br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-33909<br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to<br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8]<br />
<br />
Note that this is undergoing revision.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/security/vulnerabilities/RHSB-2021-006<br />
<br />
[R 2] https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909<br />
<br />
[R 3] https://access.redhat.com/security/cve/cve-2021-33909<br />
<br />
[R 4] https://nvd.nist.gov/vuln/detail/CVE-2021-33909<br />
<br />
[R 5] https://www.openwall.com/lists/oss-security/2021/07/20/1<br />
<br />
[R 6] https://security-tracker.debian.org/tracker/CVE-2021-33909<br />
<br />
[R 7] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-33909<br />
<br />
[R 8] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 9] https://scientificlinux.org/category/sl-errata/<br />
<br />
[R 10] https://twitter.com/qualys/status/1430606633437040644<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by David Crooks and Dave Dykstra<br />
<br />
Timeline<br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-33909]<br />
<br />
2021-07-20 SVG alerted to this issue by David Crooks and Dave Dystra<br />
2021-07-20 Acknowledgement from the EGI SVG to the reporter<br />
2021-07-20 Investigation of vulnerability and relevance to EGI carried out <br />
2021-07-21 EGI SVG Risk Assessment completed<br />
2021-07-21 Updated packages available<br />
2021-07-22 Advisory completed and sent to sites. <br />
2021-07-28 Update as fixed version available in Scientific Linux.<br />
2021-08-26 Update as exploit released raising the risk to 'CRITICAL'<br />
2021-10-06 Placed on the EGI SVG wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose<br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, <br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending <br />
on how the software is used.<br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing <br />
inhomogeneity of the EGI infrastructure.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-22555&diff=113381SVG:Advisory-SVG-CVE-2021-225552021-10-06T10:24:20Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - <br />
Linux kernel vulnerability affecting RHEL/CentOS 8 and derivatives [EGI-SVG-CVE-2021-22555] <br />
<br />
Date: 2021-07-28<br />
Updated: 2021-08-12, 2021-08-18, 2021-09-01, 2021-10-06<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning linux kernel RHEL/CentOS 8 and derivatives.<br />
<br />
Package : linux kernel<br />
CVE ID : CVE-2021-22555<br />
Bug ID : Red Hat Bugzilla – Bug 1980101<br />
<br />
A vulnerability has been found in the linux kernel where an out-of bounds write in xt_compat_target_from_user() in <br />
net/netfilter/x_tables.c allows a local user to gain privileges or cause a DoS through user name space. [R 1] [R 2] [R 3]<br />
<br />
**UPDATE 2021-09-01**<br />
<br />
This has now been fixed for RHEL 7, CentOS 7 and other derivatives including Scientific Linux.<br />
<br />
Previously 2021-08-18 it was stated that it had been fixed in Scientific Linux but this announcement had been made in error. <br />
<br />
**UPDATE 2021-08-12**<br />
<br />
This has been fixed for RHEL/CentOS 8 and derivatives.<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
**UPDATE 2021-08-12**<br />
<br />
Sites running RHEL/CentOS 8 or derivatives MUST be either patched or have mitigation in place or s<br />
oftware removed by 2021-09-02 00:00 UTC.<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
**UPDATE 2021-09-01**<br />
<br />
Sites running RHEL/CentOS 7 or derivatives are recommended to update the relevant kernel packages as soon as they reasonably can.<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites running RHEL 8 and RHEL 7 should see [R 2]<br />
<br />
Sites running CentOS8 should also see [R 2]<br />
<br />
Sites running Debian should see [R 7] <br />
<br />
Sites running Ubuntu should see [R 8]<br />
<br />
Sites running Scientific Linux should see [R 9]<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
A public Proof Of Concept exploit has been released for RHEL/CentOS 8 and derivatives. <br />
For RHEL/CentOS 8 and it's derivatives this vulnerability is considered 'CRITICAL' risk. <br />
<br />
Members of the Software Vulnerability Group and others have carried out some testing, and have not been <br />
able to execute the Proof Of Concept exploit for RedHat 7. <br />
We still consider this vulnerability to be 'HIGH' risk for RedHat 7 and its derivatives.<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
For hosts which do not need to run user containers, mitigation is possible as defined in [R 2] <br />
by disabling user namespaces, which may not be suitable for some services. <br />
<br />
In general, we recommend unprivileged _network_ namespaces are disabled, if they are not required [R 5]. <br />
<br />
Note that this works for Singularity [R 4], thus allowing unprivileged user namespaces to be kept enabled for Singularity. <br />
<br />
However, please note that on RHEL/CentOS 8 and derivatives, there are a few system services that by <br />
default expect network namespaces to work: please check [R 4] for further information.<br />
<br />
In general, the running of containers (e.g. through Docker) is incompatible with the mitigation options considered so far. <br />
<br />
A different mitigation would be to limit access to vulnerable hosts as much as feasible.<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-22555 <br />
<br />
Minor updates may be made without re-distribution to the sites.<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to:<br />
<br />
report-vulnerability at egi.eu <br />
<br />
The EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6]. <br />
<br />
Note that this is undergoing revision.<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22555 <br />
<br />
[R 2] https://access.redhat.com/security/cve/CVE-2021-22555<br />
<br />
[R 3] https://bugzilla.redhat.com/show_bug.cgi?id=1980101<br />
<br />
[R 4] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity<br />
<br />
[R 5] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2020-25211<br />
<br />
[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 7] https://security-tracker.debian.org/tracker/CVE-2021-22555<br />
<br />
[R 8] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22555<br />
<br />
[R 9] https://scientificlinux.org/category/sl-errata/slsa-20213327-1/<br />
<br />
<br />
Timeline <br />
========<br />
<br />
Yyyy-mm-dd [EGI-SVG-CVE-2021-22555] <br />
<br />
2021-07-25 Investigation of vulnerability and relevance to EGI carried out by SVG members and Dave Dykstra <br />
2021-07-26 EGI SVG Risk Assessment completed <br />
2021-07-28 Advisory sent to sites to carry out mitigating action in some circumstances<br />
2021-08-12 Update as fixed for RHEL/CentOS 8 and derivatives<br />
2021-08-18 Update as fixed for Scientific Linux (which turned out not to be!)<br />
2021-09-01 Update as fixed for RHEL 7, CentOS7, and Scientifc Linux. <br />
2021-10-06 Placed on the EGI SVG wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities".<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] in the context <br />
of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure.<br />
<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-22555&diff=113380SVG:Advisory-SVG-CVE-2021-225552021-10-06T10:22:40Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' **UPDATE 3** [TLP:WHITE] CRITICAL risk - Linux kernel vulnerability affecting RHEL/CentOS 8 and derivativ..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE 3** [TLP:WHITE] CRITICAL risk - <br />
Linux kernel vulnerability affecting RHEL/CentOS 8 and derivatives [EGI-SVG-CVE-2021-22555] <br />
<br />
Date: 2021-07-28<br />
Updated: 2021-08-12, 2021-08-18, 2021-09-01, 2021-10-06<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning linux kernel RHEL/CentOS 8 and derivatives.<br />
<br />
Package : linux kernel<br />
CVE ID : CVE-2021-22555<br />
Bug ID : Red Hat Bugzilla – Bug 1980101<br />
<br />
A vulnerability has been found in the linux kernel where an out-of bounds write in xt_compat_target_from_user() in <br />
net/netfilter/x_tables.c allows a local user to gain privileges or cause a DoS through user name space. [R 1] [R 2] [R 3]<br />
<br />
**UPDATE 2021-09-01**<br />
<br />
This has now been fixed for RHEL 7, CentOS 7 and other derivatives including Scientific Linux.<br />
<br />
Previously 2021-08-18 it was stated that it had been fixed in Scientific Linux but this announcement had been made in error. <br />
<br />
**UPDATE 2021-08-12**<br />
<br />
This has been fixed for RHEL/CentOS 8 and derivatives.<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
**UPDATE 2021-08-12**<br />
<br />
Sites running RHEL/CentOS 8 or derivatives MUST be either patched or have mitigation in place or s<br />
oftware removed by 2021-09-02 00:00 UTC.<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
**UPDATE 2021-09-01**<br />
<br />
Sites running RHEL/CentOS 7 or derivatives are recommended to update the relevant kernel packages as soon as they reasonably can.<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites running RHEL 8 and RHEL 7 should see [R 2]<br />
<br />
Sites running CentOS8 should also see [R 2]<br />
<br />
Sites running Debian should see [R 7] <br />
<br />
Sites running Ubuntu should see [R 8]<br />
<br />
Sites running Scientific Linux should see [R 9]<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
A public Proof Of Concept exploit has been released for RHEL/CentOS 8 and derivatives. <br />
For RHEL/CentOS 8 and it's derivatives this vulnerability is considered 'CRITICAL' risk. <br />
<br />
Members of the Software Vulnerability Group and others have carried out some testing, and have not been <br />
able to execute the Proof Of Concept exploit for RedHat 7. <br />
We still consider this vulnerability to be 'HIGH' risk for RedHat 7 and its derivatives.<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
For hosts which do not need to run user containers, mitigation is possible as defined in [R 2] <br />
by disabling user namespaces, which may not be suitable for some services. <br />
<br />
In general, we recommend unprivileged _network_ namespaces are disabled, if they are not required [R 5]. <br />
<br />
Note that this works for Singularity [R 4], thus allowing unprivileged user namespaces to be kept enabled for Singularity. <br />
<br />
However, please note that on RHEL/CentOS 8 and derivatives, there are a few system services that by <br />
default expect network namespaces to work: please check [R 4] for further information.<br />
<br />
In general, the running of containers (e.g. through Docker) is incompatible with the mitigation options considered so far. <br />
<br />
A different mitigation would be to limit access to vulnerable hosts as much as feasible.<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-22555 <br />
<br />
Minor updates may be made without re-distribution to the sites.<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to:<br />
<br />
report-vulnerability at egi.eu <br />
<br />
The EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6]. <br />
<br />
Note that this is undergoing revision.<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22555 <br />
<br />
[R 2] https://access.redhat.com/security/cve/CVE-2021-22555<br />
<br />
[R 3] https://bugzilla.redhat.com/show_bug.cgi?id=1980101<br />
<br />
[R 4] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity<br />
<br />
[R 5] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2020-25211<br />
<br />
[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 7] https://security-tracker.debian.org/tracker/CVE-2021-22555<br />
<br />
[R 8] https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22555<br />
<br />
[R 9] https://scientificlinux.org/category/sl-errata/slsa-20213327-1/<br />
<br />
<br />
Timeline <br />
========<br />
<br />
Yyyy-mm-dd [EGI-SVG-CVE-2021-22555] <br />
<br />
2021-07-25 Investigation of vulnerability and relevance to EGI carried out by SVG members and Dave Dykstra <br />
2021-07-26 EGI SVG Risk Assessment completed <br />
2021-07-28 Advisory sent to sites to carry out mitigating action in some circumstances<br />
2021-08-12 Update as fixed for RHEL/CentOS 8 and derivatives<br />
2021-08-18 Update as fixed for Scientific Linux (which turned out not to be!)<br />
2021-09-01 Update as fixed for RHEL 7, CentOS7, and Scientifc Linux. <br />
2021-10-06 Placed on the EGI SVG wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities".<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] in the context <br />
of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure.<br />
<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113254SVG:Advisories2021-09-07T16:22:29Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-08-17, updated 2021-09-07 || Remote Code execution in JupyterLab and Jupyter Notebook CVE-2021–32797 and CVE-2021–32798<br />
|| [[SVG:Advisory-SVG-CVE-2021-32798| Advisory-SVG-CVE-2021-32798]] || Up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-29, updated 2021-08-03 2021-09-07 || 2 HTCondor Security Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2021-17304| Advisory-SVG-2021-17304]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-06-16, updated 2021-06-30 || polkit vulnerability - RHEL/CentOS 8 and derivatives<br />
|| [[SVG:Advisory-SVG-CVE-2021-3560| Advisory-SVG-CVE-2021-3560]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113253SVG:Advisories2021-09-07T16:22:03Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-08-17, updated 2021-09-07 || Remote Code execution in JupyterLab and Jupyter Notebook CVE-2021–32797 and CVE-2021–32798<br />
|| [[SVG:Advisory-SVG-CVE-2021-32797| Advisory-SVG-CVE-2021-32797]] || Up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-07-29, updated 2021-08-03 2021-09-07 || 2 HTCondor Security Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2021-17304| Advisory-SVG-2021-17304]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-06-16, updated 2021-06-30 || polkit vulnerability - RHEL/CentOS 8 and derivatives<br />
|| [[SVG:Advisory-SVG-CVE-2021-3560| Advisory-SVG-CVE-2021-3560]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-32798&diff=113252SVG:Advisory-SVG-CVE-2021-327982021-09-07T16:17:18Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] UP TO CRITICAL risk Remote Code execution in JupyterLab and Jupyter Notebook CVE-2021–32797 and CVE-2021..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] UP TO CRITICAL risk Remote Code execution in JupyterLab and Jupyter <br />
Notebook CVE-2021–32797 and CVE-2021–32798 [EGI-SVG-CVE-2021-32798] <br />
<br />
Date: 2021-08-17<br />
Updated: 2021-09-07 - changed to [TLP:WHITE] and placed on the wiki.<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
UP TO CRITICAL risk vulnerabilities concerning JupyterLab and Jupyter Notebook<br />
<br />
Package : JupyterLab and Jupyter Notebook<br />
CVE ID : CVE-2021–32797, CVE-2021–32798 <br />
<br />
Vulnerabilities have been reported in JupyterLab (CVE-2021-32797 [R 1], [R 2]) and Jupyter Notebook (CVE-2021-32798 [R 3], <br />
[R 4]) which allow untrusted code in a Notebook to execute on load. <br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites and VOs are recommended to update to the latest version of JupyterLab or Jupyter Notebook as soon as possible. <br />
There are no recommended mitigations.<br />
<br />
Component installation information<br />
==================================<br />
<br />
Please see [R 5], [R 6] <br />
<br />
Mitigation<br />
==========<br />
<br />
There is no recommended mitigation. <br />
<br />
Affected software details<br />
=========================<br />
<br />
This is fixed for the following versions:--<br />
<br />
For Jupyter Notebook:--<br />
<br />
Patched in the following versions: 5.7.11, 6.4.1<br />
<br />
For JupyterLab<br />
<br />
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.<br />
<br />
Earlier versions are likely to be vulnerable. <br />
<br />
More information<br />
================<br />
<br />
Please see [R 7]. <br />
<br />
The EGI SVG is aware that this is relevant to FedCloud sites and users, but also other sites and VOs. <br />
<br />
More information on Jupyter is available from their website [R 8]<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-32798 <br />
<br />
Minor updates may be made without re-distribution by e-mail.<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 9] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in future.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://nvd.nist.gov/vuln/detail/CVE-2021-32797<br />
<br />
[R 2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32797<br />
<br />
[R 3] https://nvd.nist.gov/vuln/detail/CVE-2021-32798<br />
<br />
[R 4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-32798 <br />
<br />
[R 5] https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx<br />
<br />
[R 6] https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 <br />
<br />
[R 7] https://blog.jupyter.org/cve-2021-32797-and-cve-2021-32798-remote-code-execution-in-jupyterlab-and-jupyter-notebook-a70fae0d3239 <br />
<br />
[R 8] https://jupyter.org/<br />
<br />
[R 9] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by David Crooks and Baptiste Grenier. <br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-32798] <br />
<br />
2021-08-13 SVG alerted to this issue by David Crooks and Baptiste Grenier<br />
2021-08-16 Acknowledgement from the EGI SVG to the reporter<br />
2021-08-16 Discussed and agreed it is relevant to FedCloud, other sites and some VOs.<br />
2021-08-16 EGI SVG Risk Assessment completed<br />
2021-08-17 Advisory sent to sites and VOs<br />
2021-09-07 Advisory placed on the wiki<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 9] in the context <br />
of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure. <br />
<br />
On behalf of the EGI SVG,<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17304&diff=113251SVG:Advisory-SVG-2021-173042021-09-07T16:11:27Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] 'HIGH' risk - 2 HTCondor Security Vulnerabilities [EGI-SVG-2021-17304] Date: 2021-07-29..."</p>
<hr />
<div>{{svg-header}}<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] 'HIGH' risk - 2 HTCondor Security Vulnerabilities [EGI-SVG-2021-17304] <br />
<br />
Date: 2021-07-29<br />
Updated: 2021-08-03, 2021-09-07 <br />
<br />
Affected software and risk<br />
==========================<br />
<br />
2 vulnerabilities concerning HTCondor, one of which is HIGH risk. <br />
<br />
Package : HTCondor<br />
<br />
2 vulnerabilities in HTCondor [R 1] [R 2] have been found and fixed by the HTCondor team, including one <br />
which may allow a user to run code as another user and/or read the data accessible to that user's running jobs, <br />
this is considered 'HIGH' risk for the EGI infrastructure. The second vulnerability applies only to sites that <br />
have enabled the use of SciTokens. <br />
<br />
**UPDATE 2021-09-07** <br />
<br />
Changed to [TLP:WHITE] and placed on the wiki.<br />
<br />
**UPDATE 2021-08-03**<br />
<br />
HTCONDOR-2021-0003 [R 1] was NOT fully resolved in the previous release referred to in the advisory on 2021-07-29, <br />
therefore the HTCondor team have released another version.<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running HTCondor are recommended to update as soon as they reasonably can. <br />
<br />
Component installation information<br />
==================================<br />
<br />
HTCondor may be downloaded from [R 3]<br />
<br />
See 'more information' below from the HTCondor team and OSG. <br />
<br />
Affected software details<br />
=========================<br />
<br />
**UPDATE 2021-08-03 ** <br />
<br />
HTCONDOR-2021-0003 [R 1] was NOT fully resolved in versions 8.8.14, 9.0.3, 9.1.1<br />
<br />
These vulnerabilities are fixed in the following versions of HTCondor<br />
<br />
8.8.15, 9.0.4, 9.1.2 <br />
<br />
<br />
More information - Provided by the HTCondor team/OSG<br />
======================================================<br />
<br />
**UPDATE 2021-08-03**<br />
<br />
referring to HTCondor 8.8.14, 9.0.3, and 9.1.1. <br />
<br />
Unfortunately, these releases did not fully mitigate the vulnerability described in HTCONDOR-2021-0003. <br />
An attacker with access to the SchedLog file in the HTCondor LOG directory is still able to exploit this vulnerability. <br />
<br />
We are now releasing HTCondor 8.8.15, 9.0.4, and 9.1.2 to fully address this issue.<br />
<br />
<br />
These releases contain important fixes for security issues. <br />
Affected users should update as soon as possible. <br />
<br />
More details on the security issues are in the Vulnerability Reports [R 1] [R 2]<br />
<br />
<br />
<br />
From OSG:--<br />
<br />
Two security vulnerabilities have been discovered in HTCondor, HTCONDOR-2021-0003 [R 1] and HTCONDOR-2021-0004 [R 2], <br />
both of which allow unprivileged users to perform unauthorized actions.<br />
<br />
The OSG Security team considers these vulnerabilities to be of HIGH severity and recommend updating HTCondor <br />
to the fixed version as soon as possible.<br />
<br />
## IMPACTED VERSIONS:<br />
<br />
HTCONDOR-2021-0003 affects SchedD and Collector components in all versions of HTCondor.<br />
HTCONDOR-2021-0004 affects all daemons from version 9.0.0 and above.<br />
<br />
## WHAT IS THE VULNERABILITY:<br />
<br />
HTCONDOR-2021-003 allows a user with read access to a SchedD or Collector to discover secrets that could allow them <br />
to control other user's jobs and/or read their data.<br />
<br />
HTCONDOR-2021-004 may allow users bearing a SciToken to be granted authorizations beyond what the token should allow.<br />
<br />
## WHAT YOU SHOULD DO:<br />
<br />
Update any HTCondor-CEs, HTCondor access points, and HTCondor central managers to a fixed version of the software <br />
[R 3] (8.8.14, 9.0.3 or 9.1.1) as soon as reasonably possible.<br />
<br />
A workaround for HTCONDOR-2021-0004 can be implemented by not allowing SciTokens as an authentication method <br />
until the patch can be applied. This means overriding the list of authentication methods (which includes SciTokens by default) <br />
by setting SEC_DEFAULT_AUTHENTICATION_METHODS to all the methods you would actually like to use. To simply remove SciTokens, <br />
set it to "FS,TOKEN,KERBEROS,GSI,SSL". [R 2]<br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17304 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] http://htcondor.org/security/vulnerabilities/HTCONDOR-2021-0003.html <br />
<br />
[R 2] http://htcondor.org/security/vulnerabilities/HTCONDOR-2021-0004.html <br />
<br />
[R 3] https://research.cs.wisc.edu/htcondor/downloads.html<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by to SVG by Zach Miller of the HTCondor team <br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17304] <br />
<br />
2021-06-23 Vulnerability reported by Zach Miller of the HTCondor team, info shared with SVG<br />
2021-06-24 Acknowledgement from the EGI SVG to the reporter<br />
2021-07-28 Updated packages available <br />
2021-07-28 EGI SVG Risk Assessment completed<br />
2021-07-29 Advisory sent to sites<br />
2021-08-03 Advisory updated due to new information from the HTCondor team, stating that 1 vulnerability had no fully resolved previously. <br />
2021-09-07 Advisory placed on SVG wiki<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of<br />
how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure. <br />
<br />
On behalf of the EGI SVG,<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113099SVG:Advisories2021-06-30T15:28:13Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-06-16, updated 2021-06-30 || polkit vulnerability - RHEL/CentOS 8 and derivatives<br />
|| [[SVG:Advisory-SVG-CVE-2021-3560| Advisory-SVG-CVE-2021-3560]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-3560&diff=113098SVG:Advisory-SVG-CVE-2021-35602021-06-30T15:26:08Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk polkit vulnerability - RHEL/CentOS 8 and derivatives CVE-2021-3560 [EGI-SVG-CVE-2021-3560] <br />
<br />
Date: 2021-06-16<br />
Updated: 2021-06-30 Changed to [TLP:WHITE] and placed on the wiki. <br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning polkit version in RedHat Enterprise 8 and its derivatives <br />
<br />
Package : polkit<br />
CVE ID : CVE-2021-3560<br />
<br />
A local privilege escalation vulnerability has been found in polkit versions used in Red Hat Enterprise Linux 8 <br />
and its derivatives. [R 1] [R 2]. This was fixed by RedHat in a release from 3rd June 2021. <br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running RHEL 8 and its derivatives are required to urgently install a patched version, if they have not done so already. <br />
<br />
All running resources MUST be either patched or have mitigation<br />
in place or software removed by 2021-06-23 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites running RHEL 8 should see [R 2]<br />
<br />
Sites running CentOS8 should also see [R 2]<br />
<br />
Sites running Debian should see [R 3] <br />
<br />
Sites running Ubuntu should see [R 4]<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
RHEL 8 and its derivatives are affected.<br />
<br />
RHEL 7 and its derivatives do not appear to be affected.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Limited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-3560 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 5] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/<br />
<br />
[R 2] https://access.redhat.com/security/cve/cve-2021-3560<br />
<br />
[R 3] https://security-tracker.debian.org/tracker/CVE-2021-3560<br />
<br />
[R 4] https://ubuntu.com/security/CVE-2021-3560<br />
<br />
[R 5] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Barbara Krasovec who is a member of the EGI SVG<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-3560] <br />
<br />
2021-06-14 SVG alerted to this issue by Barbara Krasovec<br />
2021-06-03 Fixed version available from RedHat<br />
2021-06-15 EGI SVG Risk Assessment completed<br />
2021-06-16 Advisory sent to sites<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 5] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, <br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments <br />
depending on how the software is used. <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113067SVG:Advisories2021-06-22T12:18:26Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113066SVG:Advisories2021-06-22T12:17:17Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2020-17010| Advisory-SVG-2020-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113065SVG:Advisories2021-06-22T12:16:57Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-06-08, updated 2021-06-22 || VOMS-Admin vulnerability<br />
|| [[SVG:Advisory-SVG-2020-17010| Advisory-SVG2020-17010]] || HIGH || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-06-22 || Singularity vulnerabilities <br />
|| [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17010&diff=113064SVG:Advisory-SVG-2021-170102021-06-22T12:12:17Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
Title: EGI SVG 'ADVISORY' [TLP:AMBER] HIGH risk VOMS-Admin vulnerability [EGI-SVG-2020-17010]<br />
<br />
Date: 2021-06-08<br />
Updated: <br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability affecting VOMS-Admin<br />
<br />
Packages : VOMS-Admin and Apache Struts<br />
CVE ID : (Struts CVE) CVE-2020-17530<br />
<br />
A serious vulnerability has been found in Apache Struts [R 1] [R 2] on which VOMS-Admin is dependent. <br />
So far no way has been found to exploit this vulnerability via VOMS-Admin. VOMS-Admin has nonetheless<br />
been updated to use the Struts version in which this vulnerability has been eliminated. <br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running VOMS-Admin should update to voms-admin-server 3.8.1 (which uses Struts 2.5.26) <br />
as soon as they reasonably can if they have not done so already.<br />
<br />
There is the possibility that this vulnerability could be raised to 'Critical' if a way were to be <br />
found to exploit this vulnerability in the context of VOMS-Admin, in which case sites would be required to update urgently.<br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
(although at present this is not available)<br />
<br />
The updated version of the RPM is at:--<br />
<br />
http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
Apache Struts 2.5.25 is found to contain a serious vulnerability. <br />
<br />
voms-admin-server 3.8.1 has been fixed to use Struts 2.5.26 which does not contain this vulnerability.<br />
<br />
Earlier versions may be vulnerable. <br />
<br />
<br />
More information<br />
================<br />
<br />
The version of Apache Struts used by voms-admin-server 3.8.0 contains a serious vulnerability. <br />
<br />
The VOMS team have produced a new version (3.8.1) which uses Apache Struts 2.5.26 which does not contain this <br />
vulnerability, therefore sites are recommended to update to voms-admin-server 3.8.1.<br />
<br />
So far, no way has been found to exploit this vulnerability when using VOMS-Admin.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** AMBER information - Limited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
This advisory will be placed on the wiki on or after 2021-06-22 <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17010 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 3] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://nvd.nist.gov/vuln/detail/CVE-2020-17530<br />
<br />
[R 2] https://cwiki.apache.org/confluence/display/WW/S2-061<br />
<br />
[R 3] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to the Struts vulnerability by David Crooks, Andrea Ceccanti confirmed that VOMS-Admin uses Struts. <br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17010] <br />
<br />
2020-12-15 SVG alerted to the Struts vulnerability by David Crooks.<br />
2021-12-15 Acknowledgement from the EGI SVG to the reporter<br />
2021-12-15 Andrea Ceccanti confirmed that VOMS-Admin relies on Struts and involved in the investigation <br />
2021-12--- No means of exploiting via VOMS-Admin found <br />
2021-02-22 EGI SVG Risk Assessment completed - assessed as 'HIGH' because serious, but lacking exploit<br />
2021-02-22 Assessment by the EGI Software Vulnerability Group reported to the software providers <br />
2021-04-28 Updated packages available in the EGI UMD<br />
2021-06-07 SVG checking open issues, found that this had been fixed. <br />
2021-06-08 Advisory sent to sites<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 3] in the context of <br />
how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing <br />
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-32635&diff=113063SVG:Advisory-SVG-CVE-2021-326352021-06-22T11:58:11Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity security updates [EGI-SVG-CVE-2021-32635] Date: 2021-06-22 Updated: Affected soft..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] Singularity security updates [EGI-SVG-CVE-2021-32635]<br />
<br />
Date: 2021-06-22<br />
Updated: <br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
Package : Singularity<br />
CVE ID : CVE-2021-32635, CVE-2021-29136<br />
<br />
A vulnerability has been found in Singularity where it is possible for someone to publish a malicious container <br />
that takes priority over a container that a user is expecting to run. [R 1] No way has been identified where this may <br />
be exploited in EGI - CVE-2021-32635. <br />
<br />
A vulnerability has been found in Singularity where there is the potential for an attacker to overwrite host files, <br />
CVE-2021-29136 this was fixed earlier - See [R 2]<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites and users with their own Singularity installations are advised to Update to Singularity v3.7.4 at their earliest <br />
convenience if they have not done so already. <br />
<br />
If anyone becomes aware of any situation where these vulnerabilities may have a significant impact on the EGI infrastructure, <br />
then please inform EGI SVG.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
See [R 1]<br />
<br />
<br />
Affected software details<br />
========================<br />
<br />
This vulnerability CVE-2021-32635 is fixed in singularity 3.7.4 - Singularity 3.7.2 and 3.7.3 are vulnerable. <br />
<br />
Singularity version 3.7.3 additionally fixes CVE-2021-29136<br />
<br />
<br />
More information<br />
================<br />
<br />
This information is provided by the Singularity team on the 3.7.4 release:--<br />
<br />
A security vulnerability in Singularity has been publicly announced [R 3]. Under conditions unlikely to occur for OSG users, <br />
it is possible for someone to publish a malicious container that takes priority over a container that a user is expecting to run.<br />
<br />
The OSG Security team considers the vulnerability to be of MODERATE severity.<br />
<br />
IMPACTED VERSIONS:<br />
<br />
Singularity 3.7.2 and 3.7.3<br />
<br />
WHAT ARE THE VULNERABILITIES:<br />
<br />
By default, singularity commands that use "library://" for downloading containers read those containers from <br />
https://cloud.sylabs.io. That is a publicly accessible server and anyone may freely create an account there for <br />
storing containers, similar to Docker Hub. Users can also choose to redirect "library://" references to a private <br />
server with the singularity "remote" command. The vulnerability is that the singularity action commands (run/shell/exec) <br />
always try to download from https://cloud.sylabs.io first, so someone could publish a container there with the same name <br />
as a container on the private server and the untrusted container from the public server would instead be used.<br />
<br />
WHAT YOU SHOULD DO:<br />
<br />
If you have Singularity 3.7.2 or 3.7.3 installed and think some of your users might be using a private server for <br />
library:// containers, notify them to either not use it until 3.7.4 is available in EPEL or to create an <br />
identical account name for themselves on https://cloud.sylabs.io.<br />
<br />
<br />
<br />
<br />
This information is provided by the Singularity team on the 3.7.3 release fixing CVE-2021-29136:--<br />
<br />
The umoci [R 2] binary used by Singularity had an issue where layers with a symlink name of '.' or '/' <br />
could modify host files when unpacking an image.<br />
<br />
This vulnerability affects the "singularity build" and "singularity pull" operations when run as root. <br />
Build/pull from a docker or OCI source is affected, as well as the implicit build to SIF that occurs through <br />
root use of run/exec/shell against a malicious docker/OCI image URI. An attacker could exploit this vulnerability <br />
by building an image with a symlink name of '.' or '/' which could overwrite host files.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-32635 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://github.com/hpcng/singularity/releases/tag/v3.7.4<br />
<br />
[R 2] https://github.com/hpcng/singularity/releases/tag/v3.7.3<br />
<br />
[R 3] https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Barbara Krasovec<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-CVE-2021-29136] <br />
<br />
2021-04-07 SVG alerted to CVE-2021-29136 by Barbara Krasovec<br />
2021-04-07 Acknowledgement from the EGI SVG to the reporter <br />
2021-04-07 Updated packages available in github <br />
2021-04-07 Further information provided by Terry Fleury<br />
2021-05-26 SVG alerted to CVE-2021-32635 by Dave Dykstra<br />
2021-06-22 Advisory placed on public wiki for completeness. <br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of how <br />
the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing<br />
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113058SVG:Advisories2021-06-16T15:37:40Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-05-18, updated 2021-06-16 || vulnerability concerning SLURM <br />
|| [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-31215&diff=113057SVG:Advisory-SVG-CVE-2021-312152021-06-16T15:35:49Z<p>Cornwall: Created page with "{{svg-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk vulnerability concerning SLURM CVE-2021-31215 [EGI-SVG-CVE-2021-31215] Date: 2021-05-18 U..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk vulnerability concerning SLURM CVE-2021-31215 [EGI-SVG-CVE-2021-31215] <br />
<br />
Date: 2021-05-18<br />
Updated: 2021-06-26 - changed to [WHITE}<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning SLURM<br />
<br />
Package : SLURM<br />
CVE ID : CVE-2021-31215<br />
<br />
A vulnerability has been found in Slurm that allows any user to run arbitrary commands as SlurmUser if the<br />
installation uses a PrologSlurmctld and/or EpilogSlurmctld script. [R 1] <br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running SLURM are recommended to update to version 20.11.7 or 20.02.7 or later as soon as possible which include a fix for this issue. <br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites should see [R 3] <br />
<br />
Mitigation<br />
==========<br />
<br />
If sites do NOT run PrologSlurmctld and/or EpilogSlurmctld script this is probably not exploitable. <br />
<br />
Affected software details<br />
=========================<br />
<br />
This has been fixed in SLURM versions 20.11.7 or 20.02.7, earlier versions may be vulnerable. <br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
This advisory will be placed on the wiki on or after 2021-05-25 <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-31215 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31215 <br />
<br />
[R 2] https://lists.schedmd.com/pipermail/slurm-announce/2021/000055.html<br />
<br />
[R 3] https://www.schedmd.com/downloads.php<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Barbara Krasovec who is a member of SVG<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-CVE-2021-31215] <br />
<br />
2021-05-13 SVG alerted to this issue by Barbara Krasovec <br />
2021-05-13 Investigation of vulnerability and relevance to EGI carried out by SVG<br />
2021-05-13 Updated packages available from the software providers <br />
2021-05-17 EGI SVG Risk Assessment completed<br />
2021-05-18 Advisory sent to sites<br />
2021-06-16 Advisory placed on Wiki<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group,<br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments <br />
depending on how the software is used. <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing <br />
inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-3560&diff=113056SVG:Advisory-SVG-CVE-2021-35602021-06-16T09:49:37Z<p>Cornwall: Created page with "{{svg-header}} <pre> This advisory has not been made public yet. </pre>"</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
This advisory has not been made public yet.<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17010&diff=113039SVG:Advisory-SVG-2021-170102021-06-08T10:04:07Z<p>Cornwall: Created page with "{{svg-header}} <pre> This advisory has not been made public yet. </pre>"</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
This advisory has not been made public yet. <br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113014SVG:Advisories2021-06-03T08:52:11Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-03-17, updated 2021004-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12, updated 2021-06-03 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-EGI-SVG-2021-17247&diff=113013SVG:Advisory-EGI-SVG-2021-172472021-06-03T08:51:11Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk - Squid Vulnerability [EGI-SVG-2021-17247]<br />
<br />
Date: 2021-05-12<br />
Updated: 2021-06-03<br />
<br />
<br />
Update 2021-06-03<br />
=================<br />
<br />
EGI UMD 4 has been updated with frontier-squid-4.15-1.2 that fixes the vulnerability.<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning Squid<br />
<br />
Package : Squid, including Frontier Squid [R 3] before version 4.15<br />
<br />
The Squid project has publicly announced [R 1] new vulnerabilities, one of which is deemed HIGH risk, viz. CVE-2020-25097 [R 2], because it may allow services to be exposed that are not directly accessible from the client host. The other ones only concern potential denial of service and hence are deemed low risk.<br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites are recommended to update relevant components or apply the mitigation detailed below as soon as possible.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
Sites using frontier-squid from the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/<br />
<br />
The fixed version is frontier-squid-4.15-1.2.<br />
<br />
<br />
Sites installing Squid from anywhere else should see information from their provider.<br />
<br />
Fixed versions (squid-3.5.20-17.el7_9.6) are available for RHEL 7 [R 5], CentOS 7 [R 6], SL 7 [R 7].<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
For sites that cannot upgrade in a timely manner, temporary workarounds for the<br />
high-risk vulnerability are provided here.<br />
<br />
If frontier-squid is used, update customize.sh with the following line and either reload or restart frontier-squid:<br />
<br />
setoption("uri_whitespace", "deny")<br />
<br />
<br />
<br />
If a plain squid is used instead, set the "uri_whitespace" directive in squid.conf to either:<br />
<br />
uri_whitespace deny<br />
<br />
or<br />
<br />
uri_whitespace encode<br />
<br />
and restart the squid service.<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
All versions of squid and frontier-squid earlier than 4.15 are affected. <br />
<br />
<br />
Additional information<br />
======================<br />
<br />
Note that exposure of squid services should usually be limited by access control to addresses within a local area network.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17247 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] http://lists.squid-cache.org/pipermail/squid-announce/2021-May/000127.html<br />
<br />
[R 2] https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6<br />
<br />
[R 3] https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 5] https://access.redhat.com/errata/RHSA-2021:1135<br />
<br />
[R 6] https://lists.centos.org/pipermail/centos-announce/2021-April/048302.html<br />
<br />
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=1049<br />
<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Dave Dykstra.<br />
<br />
Information on these vulnerabilities contained in this advisory is based on the corresponding OSG advisory for these vulnerabilities.<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17247] <br />
<br />
2021-05-10 SVG alerted to this issue by Dave Dykstra (FNAL)<br />
2021-05-10 Acknowledgement from the EGI SVG to the reporter<br />
2021-05-10 Investigation of vulnerability and relevance to EGI carried out <br />
2021-05-11 EGI SVG Risk Assessment completed <br />
2021-05-11 SVG drafts advisory based on OSG announcement<br />
2021-05-12 Advisory sent to sites<br />
2021-06-03 Update sent to sites<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113012SVG:Advisories2021-06-03T08:50:11Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-03-17, updated 2021004-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17247&diff=113010SVG:Advisory-SVG-2021-172472021-06-03T08:49:29Z<p>Cornwall: </p>
<hr />
<div><br />
{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk - Squid Vulnerability [EGI-SVG-2021-17247]<br />
<br />
Date: 2021-05-12<br />
Updated: 2021-06-03<br />
<br />
<br />
Update 2021-06-03<br />
=================<br />
<br />
EGI UMD 4 has been updated with frontier-squid-4.15-1.2 that fixes the vulnerability.<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning Squid<br />
<br />
Package : Squid, including Frontier Squid [R 3] before version 4.15<br />
<br />
The Squid project has publicly announced [R 1] new vulnerabilities, one of which is deemed HIGH risk, viz. CVE-2020-25097 [R 2], because it may allow services to be exposed that are not directly accessible from the client host. The other ones only concern potential denial of service and hence are deemed low risk.<br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites are recommended to update relevant components or apply the mitigation detailed below as soon as possible.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
Sites using frontier-squid from the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/<br />
<br />
The fixed version is frontier-squid-4.15-1.2.<br />
<br />
<br />
Sites installing Squid from anywhere else should see information from their provider.<br />
<br />
Fixed versions (squid-3.5.20-17.el7_9.6) are available for RHEL 7 [R 5], CentOS 7 [R 6], SL 7 [R 7].<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
For sites that cannot upgrade in a timely manner, temporary workarounds for the<br />
high-risk vulnerability are provided here.<br />
<br />
If frontier-squid is used, update customize.sh with the following line and either reload or restart frontier-squid:<br />
<br />
setoption("uri_whitespace", "deny")<br />
<br />
<br />
<br />
If a plain squid is used instead, set the "uri_whitespace" directive in squid.conf to either:<br />
<br />
uri_whitespace deny<br />
<br />
or<br />
<br />
uri_whitespace encode<br />
<br />
and restart the squid service.<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
All versions of squid and frontier-squid earlier than 4.15 are affected. <br />
<br />
<br />
Additional information<br />
======================<br />
<br />
Note that exposure of squid services should usually be limited by access control to addresses within a local area network.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17247 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] http://lists.squid-cache.org/pipermail/squid-announce/2021-May/000127.html<br />
<br />
[R 2] https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6<br />
<br />
[R 3] https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 5] https://access.redhat.com/errata/RHSA-2021:1135<br />
<br />
[R 6] https://lists.centos.org/pipermail/centos-announce/2021-April/048302.html<br />
<br />
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=1049<br />
<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Dave Dykstra.<br />
<br />
Information on these vulnerabilities contained in this advisory is based on the corresponding OSG advisory for these vulnerabilities.<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17247] <br />
<br />
2021-05-10 SVG alerted to this issue by Dave Dykstra (FNAL)<br />
2021-05-10 Acknowledgement from the EGI SVG to the reporter<br />
2021-05-10 Investigation of vulnerability and relevance to EGI carried out <br />
2021-05-11 EGI SVG Risk Assessment completed <br />
2021-05-11 SVG drafts advisory based on OSG announcement<br />
2021-05-12 Advisory sent to sites<br />
2021-06-03 Update sent to sites<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17247&diff=113009SVG:Advisory-SVG-2021-172472021-06-03T08:48:46Z<p>Cornwall: Created page with "Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk - Squid Vulnerability [EGI-SVG-2021-17247] Date: 2021-05-12 Updated: 2021-06-03 Update 2021-06-..."</p>
<hr />
<div>Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] HIGH risk - Squid Vulnerability [EGI-SVG-2021-17247]<br />
<br />
Date: 2021-05-12<br />
Updated: 2021-06-03<br />
<br />
<br />
Update 2021-06-03<br />
=================<br />
<br />
EGI UMD 4 has been updated with frontier-squid-4.15-1.2 that fixes the vulnerability.<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
HIGH risk vulnerability concerning Squid<br />
<br />
Package : Squid, including Frontier Squid [R 3] before version 4.15<br />
<br />
The Squid project has publicly announced [R 1] new vulnerabilities, one of which is deemed HIGH risk, viz. CVE-2020-25097 [R 2], because it may allow services to be exposed that are not directly accessible from the client host. The other ones only concern potential denial of service and hence are deemed low risk.<br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites are recommended to update relevant components or apply the mitigation detailed below as soon as possible.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
Sites using frontier-squid from the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/sw/production/umd/4/centos7/x86_64/updates/<br />
<br />
The fixed version is frontier-squid-4.15-1.2.<br />
<br />
<br />
Sites installing Squid from anywhere else should see information from their provider.<br />
<br />
Fixed versions (squid-3.5.20-17.el7_9.6) are available for RHEL 7 [R 5], CentOS 7 [R 6], SL 7 [R 7].<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
For sites that cannot upgrade in a timely manner, temporary workarounds for the<br />
high-risk vulnerability are provided here.<br />
<br />
If frontier-squid is used, update customize.sh with the following line and either reload or restart frontier-squid:<br />
<br />
setoption("uri_whitespace", "deny")<br />
<br />
<br />
<br />
If a plain squid is used instead, set the "uri_whitespace" directive in squid.conf to either:<br />
<br />
uri_whitespace deny<br />
<br />
or<br />
<br />
uri_whitespace encode<br />
<br />
and restart the squid service.<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
All versions of squid and frontier-squid earlier than 4.15 are affected. <br />
<br />
<br />
Additional information<br />
======================<br />
<br />
Note that exposure of squid services should usually be limited by access control to addresses within a local area network.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17247 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] http://lists.squid-cache.org/pipermail/squid-announce/2021-May/000127.html<br />
<br />
[R 2] https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6<br />
<br />
[R 3] https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 5] https://access.redhat.com/errata/RHSA-2021:1135<br />
<br />
[R 6] https://lists.centos.org/pipermail/centos-announce/2021-April/048302.html<br />
<br />
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=1049<br />
<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Dave Dykstra.<br />
<br />
Information on these vulnerabilities contained in this advisory is based on the corresponding OSG advisory for these vulnerabilities.<br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17247] <br />
<br />
2021-05-10 SVG alerted to this issue by Dave Dykstra (FNAL)<br />
2021-05-10 Acknowledgement from the EGI SVG to the reporter<br />
2021-05-10 Investigation of vulnerability and relevance to EGI carried out <br />
2021-05-11 EGI SVG Risk Assessment completed <br />
2021-05-11 SVG drafts advisory based on OSG announcement<br />
2021-05-12 Advisory sent to sites<br />
2021-06-03 Update sent to sites<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113004SVG:Advisories2021-06-01T15:39:01Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-03-17, updated 2021004-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-EGI-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=113003SVG:Advisories2021-06-01T15:38:05Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-03-17, updated 2021004-19, 2021-05-12 || Local Privilege Escalation via iSCSI <br />
|| [[SVG:Advisory-EGI-SVG-CVE-2021-27365 | Advisory-EGI-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-05-12 || Squid Vulnerability <br />
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-EGI-SVG-2021-17247]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-27365&diff=113002SVG:Advisory-SVG-CVE-2021-273652021-06-01T15:35:13Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk Local Privilege Escalation via iSCSI <br />
CVE-2021-27365 [EGI-SVG-CVE-2021-27365] <br />
<br />
Date: 2021-03-17<br />
Updated: 2021-04-19, 2021-06-01 <br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning Local Privilege Escalation via iSCSI<br />
<br />
Package : Linux iSCSI<br />
CVE ID : CVE-2021-27363, CVE-2021-27364, CVE-2021-27365<br />
<br />
A flaw was found in the Linux kernel. A heap buffer overflow in the iSCSI subsystem is triggered by setting an iSCSI string <br />
attribute to a value larger than one page and then trying to read it. The highest threat from this vulnerability is a <br />
Local Privilege Escalation to root. [R 1]<br />
<br />
More information in [R 2], [R 3]<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
** UPDATE 2021-04-19 **<br />
<br />
Updates are now available for RHEL 7, RHEL 8, [R 1] and CentOS7 [R 5]. <br />
<br />
Updates also appear to be available for Scientific Linux, as the appropriate version of the kernel is in the repository [R 6], <br />
and notification sent [R 7] even though the errata [R 8] has not been updated.<br />
<br />
** UPDATE 2 2021-04-19 **<br />
<br />
All running resources MUST be either patched or have mitigation<br />
in place or software removed by 2021-04-27 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. <br />
<br />
Note: the iSCSI subsystem is only required on hosts that actually have some need to interact with SCSI HW via a network.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites installing RHEL should see [R 1]<br />
<br />
Sites installing CentOS7 should see [R 5]<br />
<br />
Sites installing Scientific Linux should see [R 7]<br />
<br />
Mitigation<br />
==========<br />
<br />
This has been copied directly from the RedHat site [R 1] <br />
<br />
The LIBISCSI module will be auto-loaded when required, its use can be disabled by preventing <br />
the module from loading with the following instructions:<br />
<br />
# echo "install libiscsi /bin/true" >> /etc/modprobe.d/disable-libiscsi.conf<br />
<br />
The system will need to be restarted if the libiscsi modules are loaded. In most circumstances, <br />
the libiscsi kernel modules will be unable to be unloaded while any network interfaces are active and the protocol is in use.<br />
<br />
If the system requires iscsi to work correctly, this mitigation may not be suitable.<br />
<br />
<br />
More information<br />
================<br />
<br />
At least 1 site in the UK has carried out the mitigation, and no problems have been experienced.<br />
<br />
Sites may wish to try `lsmod | grep iscsi` to find out if iSCSI has been loaded prior to carrying out the mitigation.<br />
<br />
An update will be provided when this vulnerability has been fixed.<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2021-27365 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 4] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/security/cve/CVE-2021-27365<br />
<br />
[R 2] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html<br />
<br />
[R 3] https://nvd.nist.gov/vuln/detail/CVE-2021-27365<br />
<br />
[R 4] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 5] https://lists.centos.org/pipermail/centos-announce/2021-April/048298.html<br />
<br />
[R 6] http://ftp.scientificlinux.org/linux/scientific/7/x86_64/updates/security/<br />
<br />
[R 7] https://listserv.fnal.gov/scripts/wa.exe?A2=ind2104&L=SCIENTIFIC-LINUX-ERRATA&P=76<br />
<br />
[R 8] https://www.scientificlinux.org/category/sl-errata/ <br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by David Crooks <br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2021-27365] <br />
<br />
2021-03-16 SVG alerted to this issue by David Crooks<br />
2021-03-16 Acknowledgement from the EGI SVG to the reporter <br />
2021-03-17 EGI SVG Risk Assessment completed<br />
2021-03-17 Advisory to sites to carry out mitigation<br />
2021-04-19 Advisory updated as relevant versions of linux have been fixed.<br />
2021-04-19 Further update to require sites to update in 7 days.<br />
2021-06-01 Changed to [TLP:WHITE] and placed on the wiki.<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 4] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, <br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending <br />
on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112838SVG:Advisories2021-04-06T11:35:12Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-01-06, updated2021-03-22, 2021-04-06 || Linux Kernel release fixing various software vulnerabilities<br />
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2020-25211&diff=112837SVG:Advisory-SVG-CVE-2020-252112021-04-06T11:31:43Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] HIGH risk Linux Kernel release fixing various software vulnerabilities <br />
[EGI-SVG-CVE-2020-25211] <br />
<br />
Date: 2021-01-06<br />
Updated: 2021-03-22, 2021-04-06<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
Various vulnerabilities concerning the Linux kernel including 2 which are 'HIGH' risk <br />
<br />
Package : Linux Kernel<br />
CVE ID : CVE-2020-25211, CVE-2020-29661<br />
Bug ID : Red Hat Bugzilla 1877571<br />
<br />
CVE-2020-25211 A buffer overflow vulnerability has been announced by RedHat which may allow a local user <br />
to crash the system, compromise data confidentiality and the integrity of the system. [R 1] [R 2] [R 3] [R 4]<br />
<br />
Additionally, this Advisory acts as an 'UPDATE' to the advisory sent on 6th January 2021 concerning this <br />
vulnerability and asking sites to mitigate. <br />
<br />
CVE-2020-29661 A locking vulnerability was found in the tty subsystem of the Linux kernel in drivers/tty/tty_jobctrl.c. <br />
This flaw allows a local attacker to possibly corrupt memory or escalate privileges. <br />
The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. [R 7]<br />
<br />
Other vulnerabilities may also have been fixed in this release.<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Updated packages are available for RHEL 7 and 8 and CentOS 7 & 8<br />
<br />
Sites which have not updated already should update as soon as possible.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites should see [R 4] [R 7] <br />
<br />
<br />
Mitigation for CVE-2020-25211<br />
=============================<br />
<br />
Ensure that unprivileged _network_ namespaces are disabled, if they are not required. <br />
<br />
Note that unprivileged user/network namespaces are enabled by default in RHEL 8 but not in RHEL 7 and derivatives. <br />
<br />
If sites need to have unprivileged _network_ namespaces enabled they should consider the mitigation in [R 4], [R 5]<br />
<br />
<br />
More information<br />
================<br />
<br />
There is the possibility that one of these vulnerabilities may be elevated to 'CRITICAL' <br />
if a public exploit is released which allows easy exploitation.<br />
<br />
In general, the EGI SVG recommends disabling _network_ namespaces whenever possible, as many vulnerabilities <br />
are only exploitable if network namespaces are enabled. <br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2020-25211 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 6] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://access.redhat.com/errata/RHSA-2021:0003<br />
<br />
[R 2] https://nvd.nist.gov/vuln/detail/CVE-2020-25211<br />
<br />
[R 3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25211 <br />
<br />
[R 4] https://access.redhat.com/security/cve/CVE-2020-25211<br />
<br />
[R 5] https://access.redhat.com/solutions/41278<br />
<br />
[R 6] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
[R 7] https://access.redhat.com/security/cve/CVE-2020-29661<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to both the vulnerabilities specifically mentioned by Vincent Brillault <br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-CVE-2020-25211] <br />
<br />
2021-01-04 SVG alerted to CVE-2020-25211 by Vincent Brillault<br />
2021-01-04 Acknowledgement from the EGI SVG to the reporter<br />
2021-01-04 Investigation of vulnerability and relevance to EGI carried out<br />
2021-01-05 EGI SVG Risk Assessment completed<br />
2021-01-06 Advisory sent to sites to mitigate CVE-2020-25211<br />
2021-02-17 SVG alerted to CVE-2020-29661 by Vincent Brillault<br />
2021-03-16 RedHat Kernel release which fixes various vulnerabilities, including CVE-2020-25211, CVE-2020-29661<br />
2021-03-22 Advisory/update issued as fix available for RHEL 7, CentOS 7, RHEL 8, CentOS 8 for at least 2 vulnerabilities.<br />
2021-04-06 Advisory placed on the EGI SVG wiki<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 6] in the context of how the <br />
software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2020-16935&diff=112806SVG:Advisory-SVG-2020-169352021-03-23T14:05:53Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] CRITICAL risk DPM vulnerability allowing file deletion <br />
[EGI-SVG-2020-16935] <br />
<br />
Date: 2020-11-06<br />
Updated: 2021-03-23<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning DPM 1.14.0 and 1.14.1<br />
<br />
Package : DPM <br />
<br />
A vulnerability in DPM 1.14.0 and 1.14.1 allows users to delete other users' files. <br />
This vulnerability is not present in versions of DPM prior to 1.14.0. <br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites who have installed DPM 1.14.0 or 1.14.1 should take urgent action. <br />
<br />
DPM version 1.14.2, which contains a fix for this vulnerability, is available from EPEL for RHEL/SL/CentOS 7.<br />
<br />
It is sufficient for sites just to upgrade the head nodes to address this vulnerability. <br />
<br />
Component installation information<br />
==================================<br />
<br />
Sites installing DPM from EPEL should see <br />
<br />
https://fedoraproject.org/wiki/EPEL<br />
<br />
https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/d/<br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
Note that at present DPM 1.13.0 is the version in the EGI UMD.<br />
<br />
Also note sites should have already migrated from SL6 and its derivatives.<br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
We are not currently aware of any mitigating action. <br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
This vulnerability affects only DPM versions 1.14.0 and 1.14.1. It is fixed in DPM 1.14.2.<br />
<br />
Earlier versions of DPM are not affected.<br />
<br />
Other Information<br />
=================<br />
<br />
** UPDATE 2021-03-23 **<br />
<br />
Previously there were problems with the configuration required by CMS. <br />
<br />
This has been resolved. This was fixed with xrootd 5.0.3-2 rebuild. <br />
<br />
When the advisory was sent to sites, it additionally referred to RedHat 6 and its derivatives, <br />
since this is past its end of life and sites should no longer be using it this has been removed.<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2020-16935<br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 1] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported to SVG by Matt Doidge <br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2020-16935] <br />
<br />
2020-10-29 Vulnerability reported by Matt Doidge<br />
2020-10-29 Acknowledgement from the EGI SVG to the reporter<br />
2020------ Software providers responded and involved in investigation<br />
2020------ Investigation of vulnerability and relevance to EGI carried out <br />
2020-11-02 Fixed version in EPEL testing for RH7 and derivatives<br />
2020-11--- Discussion on situation, clarification of affected versions, and actions to take. <br />
2020-11-04 EGI SVG Risk Assessment completed<br />
2020-11-05 Further discussions on what to recommend to sites<br />
2020-11-06 Initial Advisory sent to sites <br />
2021-03-23 Advisory placed on SVG wiki after checking issue with CMS fully resolved.<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 1] <br />
in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, <br />
we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending <br />
on how the software is used. <br />
<br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112805SVG:Advisories2021-03-23T14:04:24Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2020-11-06, updated 2021-03-23 || DPM vulnerability allowing file deletion <br />
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112800SVG:Advisories2021-03-22T12:25:47Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-01-15, updated 2021-03-22 || 2 HTCondor Vulnerabilities affecting a limited number of versions.<br />
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17030&diff=112799SVG:Advisory-SVG-2021-170302021-03-22T12:23:44Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - 2 HTCondor Vulnerabilities affecting a limited number of versions. <br />
[EGI-SVG-2021-17030] <br />
<br />
Date: 2021-01-15<br />
Updated: 2021-03-22<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
2 CRITICAL risk vulnerabilities concerning HTCondor<br />
<br />
Package : HTCondor <br />
<br />
2 vulnerabilities have been found concerning HTCondor, affecting a limited number of versions. <br />
One may allow any authenticated user to impersonate any other user on the Condor system, and potentially <br />
reconfigure the HTCondor daemons. The other may allow any authenticated user to overwrite any file. <br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Any site running HTCondor versions 8.9.2 through 8.9.10 should consider taking action.<br />
<br />
There are 3 options, install the 8.8.X stable series, update prior to the public release using the instructions below, <br />
or carry out the mitigation below until the fix is released publicly. <br />
<br />
Releases 8.8.X (STABLE SERIES) are NOT vulnerable.<br />
<br />
Mitigation<br />
==========<br />
<br />
From the HTCondor team:--<br />
<br />
For the impersonation vulnerability affecting HTCondor 8.9.2 through 8.9.10 (inclusive):--<br />
<br />
If you do not need to use IDTOKENS, you can disable that authentication method by specifying a list of authentication mechanisms that does not include it. <br />
<br />
On Linux, you would want to set, e.g., (removing any other methods you did not want to use): <br />
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,PASSWORD,SSL,GSI,KERBEROS,MUNGE<br />
<br />
On Windows, you would want to set, e.g., (removing any other methods you did not want to use): <br />
SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI,PASSWORD,SSL,KERBEROS<br />
<br />
You should also check your configuration for other places you may have explicitly set the list of methods: <br />
condor_config_val -dump AUTHENTICATION_METHODS<br />
After making any changes, you will need to run <br />
condor_reconfig<br />
<br />
For the File overwrite Vulnerability:--<br />
<br />
Do not enable the condor_credd if you are not depending on it. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
From the HTCondor team:--<br />
<br />
If you decide to install v8.9.11 ahead of the public release on January 27, you will need to add an additional repository to your system as detailed below.<br />
<br />
After January 27, the v8.9.11 release will be in the usual public HTCondor repositories, so you can upgrade in your usual manner.<br />
<br />
Use the repo that matches your system:<br />
<br />
(cd /etc/yum.repos.d; wget "repo URL")<br />
<br />
Enterprise Linux 7:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/el7/private/htcondor-v8911.repo<br />
<br />
Enterprise Linux 8:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/el8/private/htcondor-v8911.repo<br />
<br />
Amazon Linux 2:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/amzn2/private/htcondor-v8911.repo<br />
<br />
If you are installing on a Debian/Ubuntu use the security repository in addition to the regular repository.<br />
<br />
Use the repo that matches your system:<br />
<br />
(cd /etc/apt/sources.list.d; wget "repo URL")<br />
<br />
Debian 9 (stretch):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/debian/8.9-private/htcondor-v8911-stretch.list<br />
<br />
Debian 10 (buster):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/debian/8.9-private/htcondor-v8911-buster.list<br />
<br />
Ubuntu 16 (xenial):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-xenial.list<br />
<br />
Ubuntu 18 (bionic):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-bionic.list<br />
<br />
Ubuntu 20 (focal):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-focal.list<br />
<br />
Tarballs can be picked up at:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/tarball/8.9/8.9.11/private/<br />
<br />
Affected software details<br />
=========================<br />
<br />
Impersonation vulnerability in HTCondor 8.9.2 through 8.9.10 (inclusive)<br />
<br />
File overwrite vulnerability in HTCondor 8.9.7 through 8.9.10 (inclusive)<br />
<br />
Both these issues are fixed in HTCondor version 8.9.11.<br />
<br />
Releases 8.8.X STABLE SERIES are NOT vulnerable.<br />
<br />
<br />
More information<br />
================<br />
<br />
These vulnerabilities are NOT publicly known about and the HTCondor team is not aware of any site where either have been exploited yet. <br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17030 <br />
<br />
Minor updates may be made without re-distribution to the sites.<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 1] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Zach Miller from the HTCondor Team <br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17030] <br />
<br />
2021-01-13 SVG alerted to this issue by Zach Miller from the HTCondor Team.<br />
2021-01-14 Acknowledgement from the EGI SVG to the reporter<br />
2021-01-14 EGI SVG Risk Assessment completed<br />
2021-01-15 Advisory sent to sites<br />
2021-03-22 Advisory placed on SVG Wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 1] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2021-17030&diff=112798SVG:Advisory-SVG-2021-170302021-03-22T12:23:10Z<p>Cornwall: Created page with "{{SVG-header}} <pre> Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - 2 HTCondor Vulnerabilities affecting a limited number of versions. [EGI-SVG-20..."</p>
<hr />
<div>{{SVG-header}}<br />
<br />
<pre><br />
Title: EGI SVG 'ADVISORY' [TLP:WHITE] CRITICAL risk - 2 HTCondor Vulnerabilities affecting a limited number of versions. <br />
[EGI-SVG-2021-17030] <br />
<br />
Date: 2021-01-15<br />
Updated: 2021-03-22<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
2 CRITICAL risk vulnerabilities concerning HTCondor<br />
<br />
Package : HTCondor <br />
<br />
2 vulnerabilities have been found concerning HTCondor, affecting a limited number of versions. <br />
One may allow any authenticated user to impersonate any other user on the Condor system, and potentially <br />
reconfigure the HTCondor daemons. The other may allow any authenticated user to overwrite any file. <br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Any site running HTCondor versions 8.9.2 through 8.9.10 should consider taking action.<br />
<br />
There are 3 options, install the 8.8.X stable series, update prior to the public release using the instructions below, <br />
or carry out the mitigation below until the fix is released publicly. <br />
<br />
Releases 8.8.X (STABLE SERIES) are NOT vulnerable.<br />
<br />
Mitigation<br />
==========<br />
<br />
From the HTCondor team:--<br />
<br />
For the impersonation vulnerability affecting HTCondor 8.9.2 through 8.9.10 (inclusive):--<br />
<br />
If you do not need to use IDTOKENS, you can disable that authentication method by specifying a list of authentication mechanisms that does not include it. <br />
<br />
On Linux, you would want to set, e.g., (removing any other methods you did not want to use): <br />
SEC_DEFAULT_AUTHENTICATION_METHODS = FS,PASSWORD,SSL,GSI,KERBEROS,MUNGE<br />
<br />
On Windows, you would want to set, e.g., (removing any other methods you did not want to use): <br />
SEC_DEFAULT_AUTHENTICATION_METHODS = NTSSPI,PASSWORD,SSL,KERBEROS<br />
<br />
You should also check your configuration for other places you may have explicitly set the list of methods: <br />
condor_config_val -dump AUTHENTICATION_METHODS<br />
After making any changes, you will need to run <br />
condor_reconfig<br />
<br />
For the File overwrite Vulnerability:--<br />
<br />
Do not enable the condor_credd if you are not depending on it. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
From the HTCondor team:--<br />
<br />
If you decide to install v8.9.11 ahead of the public release on January 27, you will need to add an additional repository to your system as detailed below.<br />
<br />
After January 27, the v8.9.11 release will be in the usual public HTCondor repositories, so you can upgrade in your usual manner.<br />
<br />
Use the repo that matches your system:<br />
<br />
(cd /etc/yum.repos.d; wget "repo URL")<br />
<br />
Enterprise Linux 7:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/el7/private/htcondor-v8911.repo<br />
<br />
Enterprise Linux 8:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/el8/private/htcondor-v8911.repo<br />
<br />
Amazon Linux 2:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/repo/8.9/amzn2/private/htcondor-v8911.repo<br />
<br />
If you are installing on a Debian/Ubuntu use the security repository in addition to the regular repository.<br />
<br />
Use the repo that matches your system:<br />
<br />
(cd /etc/apt/sources.list.d; wget "repo URL")<br />
<br />
Debian 9 (stretch):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/debian/8.9-private/htcondor-v8911-stretch.list<br />
<br />
Debian 10 (buster):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/debian/8.9-private/htcondor-v8911-buster.list<br />
<br />
Ubuntu 16 (xenial):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-xenial.list<br />
<br />
Ubuntu 18 (bionic):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-bionic.list<br />
<br />
Ubuntu 20 (focal):<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/ubuntu/8.9-private/htcondor-v8911-focal.list<br />
<br />
Tarballs can be picked up at:<br />
<br />
https://v8911:GsktumXnevC8SwGE@research.cs.wisc.edu/htcondor/tarball/8.9/8.9.11/private/<br />
<br />
Affected software details<br />
=========================<br />
<br />
Impersonation vulnerability in HTCondor 8.9.2 through 8.9.10 (inclusive)<br />
<br />
File overwrite vulnerability in HTCondor 8.9.7 through 8.9.10 (inclusive)<br />
<br />
Both these issues are fixed in HTCondor version 8.9.11.<br />
<br />
Releases 8.8.X STABLE SERIES are NOT vulnerable.<br />
<br />
<br />
More information<br />
================<br />
<br />
These vulnerabilities are NOT publicly known about and the HTCondor team is not aware of any site where either have been exploited yet. <br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** WHITE information - Unlimited distribution <br />
- see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2021-17030 <br />
<br />
Minor updates may be made without re-distribution to the sites.<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 1] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
SVG was alerted to this vulnerability by Zach Miller from the HTCondor Team <br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-2021-17030] <br />
<br />
2021-01-13 SVG alerted to this issue by Zach Miller from the HTCondor Team.<br />
2021-01-14 Acknowledgement from the EGI SVG to the reporter<br />
2021-01-14 EGI SVG Risk Assessment completed<br />
2021-01-15 Advisory sent to sites<br />
2021-03-22 Advisory placed on SVG Wiki<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 1] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and <br />
the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2021-27365&diff=112790SVG:Advisory-SVG-CVE-2021-273652021-03-17T10:06:10Z<p>Cornwall: Created page with "{{svg-header}} <pre> This advisory has not been made public yet. </pre>"</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
This advisory has not been made public yet. <br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112726SVG:Advisories2021-02-24T10:53:42Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112725SVG:Advisories2021-02-24T10:52:50Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2021-01-27 || sudo privilege escalation vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed |<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed |<br />
|-<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:General_Advisory_Template&diff=112724SVG:General Advisory Template2021-02-24T10:33:28Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
<2021-01-04><br />
<br />
Dates for 2021> <br />
<br />
<2020-03-10><br />
<br />
Include Creative Commons Licence for [WHITE] <br />
<br />
<Most cases 'ADVISORY' ><br />
<br />
<4 Options><br />
<br />
< ‘HEADS UP’ – Sites may be asked to do something urgently soon. <br />
Usually only for vulnerabilities which may be a ‘Critical’><br />
< ‘ADVISORY’ – Sites normally instructed to do something<br />
The Commonest type of mail, e.g. update when vulnerability fixed in software><br />
< ‘ALERT’ – Sites should be aware<br />
This may be important to you, you may want to take action. Often ask for feedback<br />
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG. ><br />
< ‘INFORMATION’ – to inform sites of something<br />
E.g. if a well talked about vulnerability is not relevant><br />
<br />
<br />
< E-mail title - as Title > <br />
<br />
<add or delete sections as needed><br />
<add any information required, template is to help, not rigid><br />
<br />
< Fill in advisory number, title, date, and URL><br />
< Only upload if 'WHITE'> <br />
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...) if available><br />
< Title should include software affected><br />
< If applicable, a CVE number or the like should be included ><br />
< The title should be used as mail subject, and on the wiki, but not included in mail itself. ><br />
< The date section should only be included on the wiki> <br />
< So then the e-mail title starts with the type of notification, then TLP followed by affected software and risk> <br />
<br />
<br />
Title: EGI SVG 'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if <br />
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] <br />
<br />
Date: <date yyyy-mm-dd> <1st released><br />
Updated: <date yyyy-mm-dd><br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package><br />
<br />
Package :<Name of package><br />
CVE ID :<Include CVE's if present><br />
Bug ID :<Any identifier by package provider if applicable><br />
<br />
<A few sentences describing the problem > <It was found that SillySoftware exposes users to <br />
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in <br />
versions up to 11.><br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
<as appropriate e.g.><br />
<br />
<Sites are required to immediately apply the mitigation described below to all user-accessible systems.><br />
<br />
<Sites running xxx are required to urgently apply vendor kernel updates.><br />
<br />
<Sites running yyy are required to urgently install new version><br />
<br />
<Sites are recommended to update relevant components as soon as it is convenient><br />
<br />
<(For critical) All running resources MUST be either patched or have mitigation<br />
in place or software removed by yyyy-mm-dd 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. ><br />
<br />
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or <br />
common public holiday, make it the first working day after people are expected back><br />
<br />
<If high and may become critical><br />
<br />
<Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure <br />
this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch within 7 days or risk suspension. ><br />
<br />
<br />
<Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure <br />
then please inform EGI SVG.><br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
<br />
XXX is now (also) available in EPEL<br />
<br />
https://fedoraproject.org/wiki/EPEL<br />
<br />
<br />
<e.g. patch not yet available><br />
<br />
<e.g. patch available from vendor for x system but not y><br />
<br />
<e.g. pointer to UMD release ><br />
<br />
OR<br />
<br />
<refer to wlcg repository http://linuxsoft.cern.ch/wlcg/ ><br />
<br />
OR <br />
<br />
<References to appropriate other software.> <br />
<br />
OR <br />
<br />
<List vendors who have already announced patches with references><br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
<If appropriate - Describe mitigation to carry out - this may be to run a script><br />
<br />
< If possible, include either a script and/or include command lines><br />
<br />
< or refer to vendors mitivation> <br />
<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
<This can be omitted if the situation is sufficiently simple to include version info in the <br />
affected software and risk. For example this may be included if it is quite complex which versions <br />
of e.g. Linux are affected.><br />
<br />
<e.g. which version(s) of Linux are effected><br />
<br />
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other><br />
<br />
<br />
More information<br />
================<br />
<br />
<Describe the reason for the issuing of this advisory> <br />
<br />
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <br />
<br />
<this could include - e.g. updated as patch available> <br />
<br />
<include cve- number if one has been issued> <br />
<br />
<describe the problem, something about why it occurs, and the effect on sites><br />
<br />
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> <br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
< Choose proper TLP color ><br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
<br />
<br />
or <br />
<br />
** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
or <br />
** or<br />
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
or<br />
<br />
** RED information - Personal for Named Recipients Only - see <br />
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
<Put on Wiki for WHITE information only><br />
<br />
<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. ><br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID> <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R X] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
<Any references to the vulnerability> <br />
<refer to any public disclosure><br />
<e.g. Linux vendors info><br />
<any other info on the problem><br />
<br />
<Useful skeletons><br />
<br />
< NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-nnnn ><br />
<br />
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-nnnn ><br />
<br />
< Red Hat https://access.redhat.com/security/cve/CVE-2021-nnnn ><br />
<br />
< https://www.scientificlinux.org/category/sl-errata/ ><br />
<br />
< CentOS https://lists.centos.org/pipermail/centos-announce/ ><br />
<br />
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2021-nnnn.html > <br />
<br />
< Debian https://security-tracker.debian.org/tracker/CVE-2021-nnnn > <br />
<br />
<br />
[R X] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by <if applicable - person who discovers vulnerability><br />
<br />
or<br />
<br />
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability><br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] <br />
<br />
2021-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1><br />
2021-??-?? Acknowledgement from the EGI SVG to the reporter<br />
2021-??-?? (if appropriate) Software providers responded and involved in investigation<br />
2021-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) <br />
2021-??-?? EGI SVG Risk Assessment completed<br />
2021-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers <br />
2021-??-?? Updated packages available <in the EGI UMD/other location> <br />
2021-??-?? Advisory/Alert sent to sites<br />
2021-??-?? Public disclosure<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R X] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
For [WHITE] information:--<br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
<br />
For [GREEN] and [AMBER] informatin:-- <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre><br />
<br />
<br />
{{svg-rat-info}}<br />
{{svg-issue-views}}</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:General_Advisory_Template&diff=112723SVG:General Advisory Template2021-02-24T10:31:50Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
<2021-01-04><br />
<br />
Dates for 2021> <br />
<br />
<2020-03-10><br />
<br />
Include Creative Commons Licence for [WHITE] <br />
<br />
<Most cases 'ADVISORY' ><br />
<br />
<4 Options><br />
<br />
< ‘HEADS UP’ – Sites may be asked to do something urgently soon. <br />
Usually only for vulnerabilities which may be a ‘Critical’><br />
< ‘ADVISORY’ – Sites normally instructed to do something<br />
The Commonest type of mail, e.g. update when vulnerability fixed in software><br />
< ‘ALERT’ – Sites should be aware<br />
This may be important to you, you may want to take action. Often ask for feedback<br />
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG. ><br />
< ‘INFORMATION’ – to inform sites of something<br />
E.g. if a well talked about vulnerability is not relevant><br />
<br />
<br />
< E-mail title - as Title > <br />
<br />
<add or delete sections as needed><br />
<add any information required, template is to help, not rigid><br />
<br />
< Fill in advisory number, title, date, and URL><br />
< Only upload if 'WHITE'> <br />
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...) if available><br />
< Title should include software affected><br />
< If applicable, a CVE number or the like should be included ><br />
< The title should be used as mail subject, and on the wiki, but not included in mail itself. ><br />
< The date section should only be included on the wiki> <br />
< So then the e-mail title starts with the type of notification, then TLP followed by affected software and risk> <br />
<br />
<br />
Title: EGI SVG 'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if <br />
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] <br />
<br />
Date: <date yyyy-mm-dd> <1st released><br />
Updated: <date yyyy-mm-dd><br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package><br />
<br />
Package :<Name of package><br />
CVE ID :<Include CVE's if present><br />
Bug ID :<Any identifier by package provider if applicable><br />
<br />
<A few sentences describing the problem > <It was found that SillySoftware exposes users to <br />
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in <br />
versions up to 11.><br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
<as appropriate e.g.><br />
<br />
<Sites are required to immediately apply the mitigation described below to all user-accessible systems.><br />
<br />
<Sites running xxx are required to urgently apply vendor kernel updates.><br />
<br />
<Sites running yyy are required to urgently install new version><br />
<br />
<Sites are recommended to update relevant components as soon as it is convenient><br />
<br />
<(For critical) All running resources MUST be either patched or have mitigation<br />
in place or software removed by yyyy-mm-dd 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. ><br />
<br />
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or <br />
common public holiday, make it the first working day after people are expected back><br />
<br />
<If high and may become critical><br />
<br />
<Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch within 7 days or risk suspension. ><br />
<br />
<br />
<Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure then please inform EGI SVG.><br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
<br />
XXX is now (also) available in EPEL<br />
<br />
https://fedoraproject.org/wiki/EPEL<br />
<br />
<br />
<e.g. patch not yet available><br />
<br />
<e.g. patch available from vendor for x system but not y><br />
<br />
<e.g. pointer to UMD release ><br />
<br />
OR<br />
<br />
<refer to wlcg repository http://linuxsoft.cern.ch/wlcg/ ><br />
<br />
OR <br />
<br />
<References to appropriate other software.> <br />
<br />
OR <br />
<br />
<List vendors who have already announced patches with references><br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
<If appropriate - Describe mitigation to carry out - this may be to run a script><br />
<br />
< If possible, include either a script and/or include command lines><br />
<br />
< or refer to vendors mitivation> <br />
<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
<This can be omitted if the situation is sufficiently simple to include version info in the <br />
affected software and risk. For example this may be included if it is quite complex which versions <br />
of e.g. Linux are affected.><br />
<br />
<e.g. which version(s) of Linux are effected><br />
<br />
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other><br />
<br />
<br />
More information<br />
================<br />
<br />
<Describe the reason for the issuing of this advisory> <br />
<br />
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <br />
<br />
<this could include - e.g. updated as patch available> <br />
<br />
<include cve- number if one has been issued> <br />
<br />
<describe the problem, something about why it occurs, and the effect on sites><br />
<br />
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> <br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
< Choose proper TLP color ><br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
<br />
<br />
or <br />
<br />
** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
or <br />
** or<br />
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
or<br />
<br />
** RED information - Personal for Named Recipients Only - see <br />
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
<Put on Wiki for WHITE information only><br />
<br />
<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. ><br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID> <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R X] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
<Any references to the vulnerability> <br />
<refer to any public disclosure><br />
<e.g. Linux vendors info><br />
<any other info on the problem><br />
<br />
<Useful skeletons><br />
<br />
< NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-nnnn ><br />
<br />
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-nnnn ><br />
<br />
< Red Hat https://access.redhat.com/security/cve/CVE-2021-nnnn ><br />
<br />
< https://www.scientificlinux.org/category/sl-errata/ ><br />
<br />
< CentOS https://lists.centos.org/pipermail/centos-announce/ ><br />
<br />
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2021-nnnn.html > <br />
<br />
< Debian https://security-tracker.debian.org/tracker/CVE-2021-nnnn > <br />
<br />
<br />
[R X] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by <if applicable - person who discovers vulnerability><br />
<br />
or<br />
<br />
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability><br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] <br />
<br />
2021-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1><br />
2021-??-?? Acknowledgement from the EGI SVG to the reporter<br />
2021-??-?? (if appropriate) Software providers responded and involved in investigation<br />
2021-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) <br />
2021-??-?? EGI SVG Risk Assessment completed<br />
2021-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers <br />
2021-??-?? Updated packages available <in the EGI UMD/other location> <br />
2021-??-?? Advisory/Alert sent to sites<br />
2021-??-?? Public disclosure<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R X] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
For [WHITE] information:--<br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
<br />
For [GREEN] and [AMBER] informatin:-- <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre><br />
<br />
<pre><br />
<br />
<2020-03-10><br />
<br />
Include Creative Commons Licence for [WHITE] <br />
<br />
<Most cases 'ADVISORY' ><br />
<br />
<4 Options><br />
<br />
< ‘HEADS UP’ – Sites may be asked to do something urgently soon. <br />
Usually only for vulnerabilities which may be a ‘Critical’><br />
< ‘ADVISORY’ – Sites normally instructed to do something<br />
The Commonest type of mail, e.g. update when vulnerability fixed in software><br />
< ‘ALERT’ – Sites should be aware<br />
This may be important to you, you may want to take action. Often ask for feedback<br />
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG. ><br />
< ‘INFORMATION’ – to inform sites of something<br />
E.g. if a well talked about vulnerability is not relevant><br />
<br />
<br />
< E-mail title - as Title > <br />
<br />
<add or delete sections as needed><br />
<add any information required, template is to help, not rigid><br />
<br />
< Fill in advisory number, title, date, and URL><br />
< Only upload if 'WHITE'> <br />
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...) if available><br />
< Title should include software affected><br />
< If applicable, a CVE number or the like should be included ><br />
< The title should be used as mail subject, and on the wiki, but not included in mail itself. ><br />
< The date section should only be included on the wiki> <br />
< So then the e-mail title starts with the type of notification, then TLP followed by affected software and risk> <br />
<br />
<br />
Title: EGI SVG 'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if <br />
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] <br />
<br />
Date: <date yyyy-mm-dd> <1st released><br />
Updated: <date yyyy-mm-dd><br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package><br />
<br />
Package :<Name of package><br />
CVE ID :<Include CVE's if present><br />
Bug ID :<Any identifier by package provider if applicable><br />
<br />
<A few sentences describing the problem > <It was found that SillySoftware exposes users to <br />
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in <br />
versions up to 11.><br />
<br />
<br />
Actions required/recommended<br />
============================<br />
<br />
<as appropriate e.g.><br />
<br />
<Sites are required to immediately apply the mitigation described below to all user-accessible systems.><br />
<br />
<Sites running xxx are required to urgently apply vendor kernel updates.><br />
<br />
<Sites running yyy are required to urgently install new version><br />
<br />
<Sites are recommended to update relevant components as soon as it is convenient><br />
<br />
<(For critical) All running resources MUST be either patched or have mitigation<br />
in place or software removed by yyyy-mm-dd 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. ><br />
<br />
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or <br />
common public holiday, make it the first working day after people are expected back><br />
<br />
<If high and may become critical><br />
<br />
<Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch within 7 days or risk suspension. ><br />
<br />
<br />
<Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure then please inform EGI SVG.><br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is <br />
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
<br />
XXX is now (also) available in EPEL<br />
<br />
https://fedoraproject.org/wiki/EPEL<br />
<br />
<br />
<e.g. patch not yet available><br />
<br />
<e.g. patch available from vendor for x system but not y><br />
<br />
<e.g. pointer to UMD release ><br />
<br />
OR<br />
<br />
<refer to wlcg repository http://linuxsoft.cern.ch/wlcg/ ><br />
<br />
OR <br />
<br />
<References to appropriate other software.> <br />
<br />
OR <br />
<br />
<List vendors who have already announced patches with references><br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
<If appropriate - Describe mitigation to carry out - this may be to run a script><br />
<br />
< If possible, include either a script and/or include command lines><br />
<br />
< or refer to vendors mitivation> <br />
<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
<This can be omitted if the situation is sufficiently simple to include version info in the <br />
affected software and risk. For example this may be included if it is quite complex which versions <br />
of e.g. Linux are affected.><br />
<br />
<e.g. which version(s) of Linux are effected><br />
<br />
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other><br />
<br />
<br />
More information<br />
================<br />
<br />
<Describe the reason for the issuing of this advisory> <br />
<br />
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> <br />
<br />
<this could include - e.g. updated as patch available> <br />
<br />
<include cve- number if one has been issued> <br />
<br />
<describe the problem, something about why it occurs, and the effect on sites><br />
<br />
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> <br />
<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
< Choose proper TLP color ><br />
<br />
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** <br />
<br />
or <br />
<br />
** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
or <br />
** or<br />
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
or<br />
<br />
** RED information - Personal for Named Recipients Only - see <br />
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
<Put on Wiki for WHITE information only><br />
<br />
<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. ><br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID> <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R X] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
<Any references to the vulnerability> <br />
<refer to any public disclosure><br />
<e.g. Linux vendors info><br />
<any other info on the problem><br />
<br />
<Useful skeletons><br />
<br />
< NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-nnnn ><br />
<br />
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-nnnn ><br />
<br />
< Red Hat https://access.redhat.com/security/cve/CVE-2020-nnnn ><br />
<br />
< https://www.scientificlinux.org/category/sl-errata/ ><br />
<br />
< CentOS https://lists.centos.org/pipermail/centos-announce/ ><br />
<br />
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-nnnn.html > <br />
<br />
< Debian https://security-tracker.debian.org/tracker/CVE-2020-nnnn > <br />
<br />
<br />
[R X] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by <if applicable - person who discovers vulnerability><br />
<br />
or<br />
<br />
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability><br />
<br />
<br />
Timeline <br />
========<br />
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] <br />
<br />
2020-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1><br />
2020-??-?? Acknowledgement from the EGI SVG to the reporter<br />
2020-??-?? (if appropriate) Software providers responded and involved in investigation<br />
2020-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) <br />
2020-??-?? EGI SVG Risk Assessment completed<br />
2020-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers <br />
2020-??-?? Updated packages available <in the EGI UMD/other location> <br />
2020-??-?? Advisory/Alert sent to sites<br />
2020-??-?? Public disclosure<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R X] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
For [WHITE] information:--<br />
<br />
-----------------------------<br />
This advisory is subject to the Creative commons license https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. <br />
-----------------------------<br />
<br />
For [GREEN] and [AMBER] information:-- <br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
<br />
</pre><br />
<br />
{{svg-rat-info}}<br />
{{svg-issue-views}}</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2020-16939&diff=112590SVG:Advisory-SVG-2020-169392021-01-14T15:13:30Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] CRITICAL risk Vulnerability concerning dCache [EGI-SVG-2020-16939] <br />
<br />
Date: 2020-11-19<br />
Updated: 2020-11-25, 2021-01-14<br />
<br />
<br />
Affected software and risk<br />
==========================<br />
<br />
CRITICAL risk vulnerability concerning dCache <br />
<br />
Package : dCache<br />
<br />
A vulnerability has been reported in dCache concerning file ownership checks. <br />
This may in some circumstances allow an unauthenticated person to change file ownership, view and delete arbitrary files. <br />
<br />
Actions required/recommended<br />
============================<br />
<br />
Sites running dCache should urgently update relevant components, or carry out the mitigation described below.<br />
<br />
All running resources MUST be either patched or have mitigation in place or software removed by 2020-12-03 00:00 UTC<br />
<br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension.<br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).<br />
<br />
**UPDATE 2020-11-25** <br />
<br />
A fixed version of dCache is now available in the EGI UMD. <br />
<br />
Sites using the EGI UMD 4 should see:<br />
<br />
http://repository.egi.eu/category/umd_releases/distribution/umd-4/<br />
<br />
The fixed version of dCache is included in UMD-4.12.5<br />
<br />
https://repository.egi.eu/2020/11/23/release-umd-4-12-5/<br />
<br />
Sites installing directly from dCache should see [R 1]. <br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
This 'CRITICAL' risk vulnerability affects only the dcap family of doors (dcap, gsidcap, kerberised-dcap). dCache instances that <br />
do not run a dcap-family door are not vulnerable to this problem. Stopping all dcap doors provides a mitigation against this vulnerability.<br />
<br />
Sites should in general ensure, through local firewall settings, that plain (i.e. unauthenticated) DCAP access to dCache is _only_ permitted <br />
(if needed) from hosts whose users are authenticated and authorized by the site.<br />
<br />
<br />
Affected software details<br />
=========================<br />
<br />
This has been fixed in dCache versions 6.2.10, 6.1.18, 6.0.29, 5.2.35. <br />
<br />
Earlier versions may be vulnerable.<br />
<br />
<br />
More information<br />
================<br />
<br />
The latest release of dCache actually fixes 2 completely separate vulnerabilities. <br />
<br />
One has been assessed as 'CRITICAL' risk, as it may allow an unauthenticated person to change file ownership, view and delete arbitrary files. <br />
<br />
The other merely allows a user in some circumstances to change the group ownership of a file or directory they are authorized <br />
to change to one they are not entitled to change it to. This has been assessed to be 'LOW' risk.<br />
<br />
<br />
TLP and URL<br />
===========<br />
<br />
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** <br />
<br />
This advisory will be placed on the wiki on or after 2020-12-19 <br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2020-16939 <br />
<br />
Minor updates may be made without re-distribution to the sites<br />
<br />
<br />
Comments<br />
========<br />
<br />
Comments or questions should be sent to svg-rat at mailman.egi.eu<br />
<br />
If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to <br />
<br />
report-vulnerability at egi.eu<br />
<br />
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2] <br />
<br />
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. <br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://www.dcache.org/<br />
<br />
[R 2] https://documents.egi.eu/public/ShowDocument?docid=3145<br />
<br />
Credit<br />
======<br />
<br />
This vulnerability was reported by Paul Millar from the dCache team<br />
<br />
<br />
Timeline<br />
========<br />
Yyyy-mm-dd [EGI-SVG-2020-16939] <br />
<br />
2020-10-29 Vulnerability reported by Paul Millar<br />
2020-10-30 Acknowledgement from the EGI SVG to the reporter<br />
2020-11-10 EGI SVG Risk Assessment completed<br />
2020-11-10 Assessment by the EGI Software Vulnerability Group reported to the software providers<br />
2020-11-18 Updated versions produced by the dCache team<br />
2020-11-19 Advisory sent to sites<br />
2020-11-23 Fixed version of dCache in the EGI UMD<br />
2020-11-25 Advisory updated<br />
2021-01-14 Public disclosure - placed on the wiki<br />
<br />
<br />
Context<br />
=======<br />
<br />
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose <br />
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"<br />
<br />
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 2] in the context of how <br />
the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. <br />
The risk may also be higher or lower in other deployments depending on how the software is used. <br />
<br />
<br />
-----------------------------<br />
Others may re-use this information provided they:-<br />
<br />
1) Respect the provided TLP classification<br />
<br />
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group<br />
------------------------------<br />
<br />
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity <br />
of the EGI infrastructure and the services in the EOSC-hub catalogue.<br />
<br />
On behalf of the EGI SVG,<br />
<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112589SVG:Advisories2021-01-14T15:11:44Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2020-11-19 updated 2020-11-25, 2021-01-14 || Vulnerability concerning dCache<br />
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||<br />
|-<br />
<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories-SVG-2020&diff=112588SVG:Advisories-SVG-20202021-01-14T14:49:17Z<p>Cornwall: Created page with "{{svg-header}} All advisories which are disclosed publicly by SVG are placed on this wiki. A guide to the risk categories is available at SVG:Notes On Risk | Notes On Ri..."</p>
<hr />
<div>{{svg-header}}<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2020-09-22 updated 2020-10-22 || Privilege escalation vulnerability in recent kernels (e.g. RHEL/CentOS 8)<br />
|| [[SVG:Advisory-SVG-CVE-2020-14386 | Advisory-SVG-CVE-2020-14386]] || High || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-10-20 || Singularity - file overwrite vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2020-15229 | Advisory-SVG-CVE-2020-15229 ]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-09-16 || Cache Poisoning Squid Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2020-16840 | Advisory-SVG-2020-16840]] || Moderate || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-09-09 || Disk Pool Manager (DPM) logging may contain sensitive information<br />
|| [[SVG:Advisory-SVG-2020-16835 | Advisory-SVG-2020-16835]] || Moderate || Sites to check ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-08-17 || Vulnerability in dCache macaroon bearer token validation<br />
|| [[SVG:Advisory-SVG-2020-16806 | Advisory-SVG-2020-16806]] || Low || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-05-04 updated 2020-06-05 || Remote code execution vulnerabilities in Salt master<br />
|| [[SVG:Advisory-SVG-CVE-2020-11651 | Advisory-SVG-CVE-2020-11651]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-03-13 updated 2020-04-28, 2020-06-05 || Vulnerability in IBM GPFS file system<br />
|| [[SVG:Advisory-SVG-2020-16274 | Advisory-SVG-2020-16274 ]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-05-06 updated 2020-05-12 || Singularity and unprivileged user namespaces<br />
|| [[SVG:Advisory-SVG-2020-16648 | Advisory-SVG-2020-16648 ]] || N/A || ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-03-23 updated 2020-04-08, 2020-04-16, 2020-04-30|| Vulnerabilities in HTCondor<br />
|| [[SVG:Advisory-SVG-CVE-2019-18823 | Advisory-SVG-CVE-2019-18823 ]] || Moderate || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-02-11 updated 2020-04-29|| vulnerabilities concerning Squid<br />
|| [[SVG:Advisory-SVG-2020-16203 | Advisory-SVG-2020-16203 ]] || up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2019-12-19 updated 2020-02-10|| Singularity File Permission Vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2019-19724| Advisory-SVG-CVE-2019-19724 ]] || || Fixed ||<br />
|-<br />
<br />
<br />
<br />
|}<br />
<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017.</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisories&diff=112587SVG:Advisories2021-01-14T14:45:31Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}} <br />
<br />
<br />
All advisories which are disclosed publicly by SVG are placed on this wiki. <br />
<br />
All advisories which are disclosed publicly by SVG are subject to the Creative commons licence<br />
[https://creativecommons.org/licenses/by/4.0/ CC-BY 4.0.] including crediting the EGI [https://www.egi.eu/ https://www.egi.eu/] Software Vulnerability Group. <br />
<br />
A guide to the risk categories is available at [[SVG:Notes On Risk | Notes On Risk]]<br />
<br />
SVG also provides information that may be useful to various sites concerning the various <br />
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]<br />
<br />
<br />
{| {{egi-table}}<br />
!Date !! Title !! Contents/Link !! Risk !! Status !!<br />
<br />
|-<br />
| 2020-09-22 updated 2020-10-22 || Privilege escalation vulnerability in recent kernels (e.g. RHEL/CentOS 8)<br />
|| [[SVG:Advisory-SVG-CVE-2020-14386 | Advisory-SVG-CVE-2020-14386]] || High || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-10-20 || Singularity - file overwrite vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2020-15229 | Advisory-SVG-CVE-2020-15229 ]] || || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-09-16 || Cache Poisoning Squid Vulnerabilities <br />
|| [[SVG:Advisory-SVG-2020-16840 | Advisory-SVG-2020-16840]] || Moderate || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-09-09 || Disk Pool Manager (DPM) logging may contain sensitive information<br />
|| [[SVG:Advisory-SVG-2020-16835 | Advisory-SVG-2020-16835]] || Moderate || Sites to check ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-08-17 || Vulnerability in dCache macaroon bearer token validation<br />
|| [[SVG:Advisory-SVG-2020-16806 | Advisory-SVG-2020-16806]] || Low || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-05-04 updated 2020-06-05 || Remote code execution vulnerabilities in Salt master<br />
|| [[SVG:Advisory-SVG-CVE-2020-11651 | Advisory-SVG-CVE-2020-11651]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-03-13 updated 2020-04-28, 2020-06-05 || Vulnerability in IBM GPFS file system<br />
|| [[SVG:Advisory-SVG-2020-16274 | Advisory-SVG-2020-16274 ]] || Critical || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2020-05-06 updated 2020-05-12 || Singularity and unprivileged user namespaces<br />
|| [[SVG:Advisory-SVG-2020-16648 | Advisory-SVG-2020-16648 ]] || N/A || ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-03-23 updated 2020-04-08, 2020-04-16, 2020-04-30|| Vulnerabilities in HTCondor<br />
|| [[SVG:Advisory-SVG-CVE-2019-18823 | Advisory-SVG-CVE-2019-18823 ]] || Moderate || Fixed ||<br />
|-<br />
<br />
<br />
|-<br />
| 2020-02-11 updated 2020-04-29|| vulnerabilities concerning Squid<br />
|| [[SVG:Advisory-SVG-2020-16203 | Advisory-SVG-2020-16203 ]] || up to CRITICAL || Fixed ||<br />
|-<br />
<br />
|-<br />
| 2019-12-19 updated 2020-02-10|| Singularity File Permission Vulnerability<br />
|| [[SVG:Advisory-SVG-CVE-2019-19724| Advisory-SVG-CVE-2019-19724 ]] || || Fixed ||<br />
|-<br />
<br />
<br />
<br />
|}<br />
<br />
EGI SVG produces advisories according to the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ], which was revised in 2017 and approved by the EGI OMB in November 2017. <br />
<br />
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2020 | Advisories from 2020]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2019 | Advisories from 2019]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2018 | Advisories from 2018]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2017 | Advisories from 2017]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2016 | Advisories from 2016]]<br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2014-2015 | Advisories from 2014 and 2015 ]] <br />
<br />
In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts<br />
and EGI SVG advisories primarily concerned gLite Middleware. <br />
<br />
Earlier Advisories: [[SVG:Advisories-SVG-2011-2013 | Advisories from 2011 to 2013 ]]<br />
<br />
<br />
<br />
Advisories from prior to 2011 [https://archive.gridpp.ac.uk/gsvg/advisories/ Gridpp Advisories Archive]</div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-CVE-2020-25211&diff=112532SVG:Advisory-SVG-CVE-2020-252112021-01-06T09:51:36Z<p>Cornwall: Created page with "{{svg-header}} <pre> This advisory has not been made public yet. </pre>"</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
This advisory has not been made public yet.<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2020-16939&diff=112500SVG:Advisory-SVG-2020-169392020-12-09T17:31:52Z<p>Cornwall: </p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
<br />
This advisory has not been made public yet. The information is embargoed by the software provider until 19th December 2020.<br />
<br />
Sites should refer to the e-mail they have received.<br />
<br />
</pre></div>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2020-16935&diff=112419SVG:Advisory-SVG-2020-169352020-11-19T16:30:24Z<p>Cornwall: Created page with "{{svg-header}} <pre> This advisory has not been made public yet </pre>"</p>
<hr />
<div>{{svg-header}}<br />
<br />
<pre><br />
This advisory has not been made public yet<br />
<br />
</pre></div>Cornwall