Difference between revisions of "EGI CSIRT:Alerts/cream-20-10-2009"
Jump to navigation
Jump to search
(Created page with '{{Under construction}} {{Egi-csirt-header}} {{From OSCT wiki|http://osct.web.cern.ch/osct/alerts.html}}') |
({{From OSCT wiki|http://osct.web.cern.ch/osct/alerts/cream-20-10-2009.txt}}) |
||
Line 1: | Line 1: | ||
{{Egi-csirt-header|High-risk vulnerabilities in CREAM CE software}} | |||
{{Egi-csirt-header}} | <pre><nowiki> | ||
{{From OSCT wiki|http://osct.web.cern.ch/osct/alerts. | ======================================================================== | ||
EGEE Operational Security Coordination Team | |||
Topic: High-risk vulnerabilities in CREAM CE software | |||
Date: October 20th 2009 | |||
URL: http://cern.ch/osct/alerts/cream-20-10-2009.txt | |||
Background | |||
---------- | |||
The CREAM (Computing Resource Execution And Management) service is a | |||
gLite service for job management at the Computing Element (CE) level. | |||
Vulnerabilities description | |||
--------------------------- | |||
GSVG was recently disclosed (see [1] and [2]) two vulnerabilities that | |||
were found in the CREAM CE implementation. | |||
First vulnerability (#55551, [1]) was found in the configuration of the | |||
CREAM CE and it allows a database password to be obtained by users that | |||
are authorized to interact with the CREAM instance, e.g. for submitting | |||
jobs. | |||
Second vulnerability (#55552, [2]) in CREAM CE allows root privileges to | |||
be obtained by remote users that are authorized to interact with the | |||
CREAM instance, e.g. for submitting jobs. The exploit is very unlikely | |||
to have been used. | |||
Both issues were fixed in the CREAM CE 3.1.20. | |||
Vulnerability impact | |||
-------------------- | |||
Any user who is authorized to access the CREAM CE instance could | |||
retrieve database password and gain root privileges on the machine | |||
running CREAM CE service. | |||
OSCT recommendations | |||
-------------------- | |||
OSCT recommends all sites to urgently upgrade all CREAM CE instances to | |||
glite-CREAM 3.1.20 (found in glite 3.1 update 56) or higher. | |||
References | |||
---------- | |||
[1] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55551.txt | |||
[2] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55552.txt | |||
======================================================================== | |||
</nowiki></pre> | |||
{{From OSCT wiki|http://osct.web.cern.ch/osct/alerts/cream-20-10-2009.txt}} |
Latest revision as of 13:16, 21 June 2010
| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination
======================================================================== EGEE Operational Security Coordination Team Topic: High-risk vulnerabilities in CREAM CE software Date: October 20th 2009 URL: http://cern.ch/osct/alerts/cream-20-10-2009.txt Background ---------- The CREAM (Computing Resource Execution And Management) service is a gLite service for job management at the Computing Element (CE) level. Vulnerabilities description --------------------------- GSVG was recently disclosed (see [1] and [2]) two vulnerabilities that were found in the CREAM CE implementation. First vulnerability (#55551, [1]) was found in the configuration of the CREAM CE and it allows a database password to be obtained by users that are authorized to interact with the CREAM instance, e.g. for submitting jobs. Second vulnerability (#55552, [2]) in CREAM CE allows root privileges to be obtained by remote users that are authorized to interact with the CREAM instance, e.g. for submitting jobs. The exploit is very unlikely to have been used. Both issues were fixed in the CREAM CE 3.1.20. Vulnerability impact -------------------- Any user who is authorized to access the CREAM CE instance could retrieve database password and gain root privileges on the machine running CREAM CE service. OSCT recommendations -------------------- OSCT recommends all sites to urgently upgrade all CREAM CE instances to glite-CREAM 3.1.20 (found in glite 3.1 update 56) or higher. References ---------- [1] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55551.txt [2] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55552.txt ========================================================================
Source
Parts of this article came from the OSCT wiki, this was written by the EGEE Operational Security Coordination Team. |