EGI CSIRT:Alerts/cream-20-10-2009
Jump to navigation
Jump to search
| Mission | Members | Contacts
| Incident handling | Alerts | Monitoring | Security challenges | Procedures | Dissemination
======================================================================== EGEE Operational Security Coordination Team Topic: High-risk vulnerabilities in CREAM CE software Date: October 20th 2009 URL: http://cern.ch/osct/alerts/cream-20-10-2009.txt Background ---------- The CREAM (Computing Resource Execution And Management) service is a gLite service for job management at the Computing Element (CE) level. Vulnerabilities description --------------------------- GSVG was recently disclosed (see [1] and [2]) two vulnerabilities that were found in the CREAM CE implementation. First vulnerability (#55551, [1]) was found in the configuration of the CREAM CE and it allows a database password to be obtained by users that are authorized to interact with the CREAM instance, e.g. for submitting jobs. Second vulnerability (#55552, [2]) in CREAM CE allows root privileges to be obtained by remote users that are authorized to interact with the CREAM instance, e.g. for submitting jobs. The exploit is very unlikely to have been used. Both issues were fixed in the CREAM CE 3.1.20. Vulnerability impact -------------------- Any user who is authorized to access the CREAM CE instance could retrieve database password and gain root privileges on the machine running CREAM CE service. OSCT recommendations -------------------- OSCT recommends all sites to urgently upgrade all CREAM CE instances to glite-CREAM 3.1.20 (found in glite 3.1 update 56) or higher. References ---------- [1] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55551.txt [2] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55552.txt ========================================================================
Source
Parts of this article came from the OSCT wiki, this was written by the EGEE Operational Security Coordination Team. |