Difference between revisions of "SVG:Advisory-SVG-2012-3306"
Jump to navigation
Jump to search
imported>Cornwall |
|
(No difference)
|
Revision as of 16:29, 17 September 2013
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2012-3306
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2012-3306] Title: EGI SVG Advisory "Low" RISK - Potential for reduced availability of VOMS server Date: 2013-09-17 Updated: <date yyyy-mm-dd> URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-3306 Introduction ============ A vulnerability has been found which may allow a Denial of Service attack on a VOMS server. This problem has been solved in the version of VOMS available in the EGI UMD-2. A vulnerable version of VOMS has never been available in EGI UMD-3. Details ======= A vulnerability assessment was carried out on the VOMS server by Manuel Brugnoli at the University of Barcelona. A Vulnerability was found allowing a DoS attack on the VOMS server by anyone able to connect to the VOMS server. Risk category ============= This issue has been assessed as "Low" risk by the EGI SVG Risk Assessment Team. Affected software ================= This problem was found in VOMS version 2.0.2. The file which fixes this is in the file: voms-api-java-2.0.10-1 Earlier versions may be affected. Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD should see: http://repository.egi.eu/category/umd_releases/distribution/umd-2/ Sites installing directly from EMI should see: http://www.eu-emi.eu/emi-2-matterhorn/updates/ Recommendations =============== Sites are recommended to update relevant components in due course, if they have not upgraded in recent months. Credit ====== This vulnerability was reported by Manuel Brugnoli Timeline ======== Yyyy-mm-dd 2012-01-17 Vulnerability reported by Manuel Brugnoli 2012-01-17 Acknowledgement from the EGI SVG to the reporter 2012-01-17 Software providers responded and involved in investigation 2012-02-01 Assessment by the EGI Software Vulnerability Group reported to the software providers 2013-02-13 Updated packages available in the EGI UMD-2 2013-08-19 After checking 'Low' risk issues, found fixed in UMD. 2013-09-16 Public disclosure