Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisories"

From EGIWiki
Jump to navigation Jump to search
(45 intermediate revisions by 4 users not shown)
Line 3: Line 3:


All advisories which are disclosed publicly by SVG are placed on this wiki.  
All advisories which are disclosed publicly by SVG are placed on this wiki.  
All advisories which are disclosed publicly by SVG are subject to the  Creative commons licence
[https://creativecommons.org/licenses/by/4.0/    CC-BY 4.0.] including crediting the EGI  [https://www.egi.eu/  https://www.egi.eu/] Software Vulnerability Group. 


A guide to the risk categories is available at  [[SVG:Notes On Risk | Notes On Risk]]
A guide to the risk categories is available at  [[SVG:Notes On Risk | Notes On Risk]]
Line 9: Line 12:
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]


This may be useful to sites in conjunction with the advisories[[SVG:Advisory-SVG-CVE-2017-5753  | Advisory-SVG-CVE-2017-5753 ]], [[SVG:Advisory-SVG-CVE-2018-3639 | Advisory-SVG-CVE-2018-3639 ]], and [[SVG:Advisory-SVG-CVE-2018-3620 | Advisory-SVG-CVE-2018-3620]]  from 2018.


{| {{egi-table}}
{| {{egi-table}}
!Date !! Title !! Contents/Link !! Risk !!  Status !!
!Date !! Title !! Contents/Link !! Risk !!  Status !!


|-
|-
| 2019-05-29  updated 2019-09-16|| Docker symlink-race attack
| 2021-06-08, updated 2021-06-22 ||   VOMS-Admin vulnerability
  || [[SVG:Advisory-SVG-CVE-2018-15664| Advisory-SVG-CVE-2018-15664 ]] || Alert || ||
|| [[SVG:Advisory-SVG-2021-17010| Advisory-SVG-2021-17010]] || HIGH || Fixed ||
|-
|-


|-
|-
2019-07-10 ||  ZeroMQ Vulnerability  
2021-06-22 ||  Singularity vulnerabilities
  || [[SVG:Advisory-SVG-CVE-2019-13132 | Advisory-SVG-CVE-2019-13132 ]] || Alert || ||
  || [[SVG:Advisory-SVG-CVE-2021-32635 | Advisory-SVG-CVE-2021-32635]] || || Fixed ||
|-
|-


|-
|-
2019-06-20 ||  Linux Kernel DOS vulnerability: TCP SACK panic  
2021-05-18, updated  2021-06-16 ||  vulnerability concerning SLURM
  || [[SVG:Advisory-SVG-CVE-2019-11477| Advisory-SVG-CVE-2019-11477 ]] || Alert || ||
  || [[SVG:Advisory-SVG-CVE-2021-31215 | Advisory-SVG-CVE-2021-31215]] || HIGH || Fixed ||
|-
|-


|-
|-
2019-05-16 updated 2019-06-20 ||  Singularity Vulnerability announced by the Singularity team
2021-03-17, updated 2021-04-19, 2021-05-12 || Local Privilege Escalation via iSCSI  
  || [[SVG:Advisory-SVG-CVE-2019-11328| Advisory-SVG-CVE-2019-11328 ]] || High  || Fixed ||
|| [[SVG:Advisory-SVG-CVE-2021-27365 | Advisory-SVG-CVE-2021-27365]] || CRITICAL || Fixed ||
|-
|-




|-
|-
2019-05-16 || Microarchitectural Store Buffer Data vulnerability affecting Intel Processors  
2021-05-12, updated 2021-06-03 ||  Squid Vulnerability
  || [[SVG:Advisory-SVG-CVE-2018-12126| Advisory-SVG-CVE-2018-12126 ]] || High || Fixed ||
|| [[SVG:Advisory-EGI-SVG-2021-17247 | Advisory-SVG-2021-17247]] || HIGH || Fixed ||
|-
|-




|-
|-
2019-02-13 updated 2019-03-01 || runc malicious container escape affecting Docker, Kubernetes, lxc
2021-01-06, updated2021-03-22, 2021-04-06  || Linux Kernel release fixing various software vulnerabilities
  || [[SVG:Advisory-SVG-CVE-2019-5736| Advisory-SVG-CVE-2019-5736 ]] || Critical || ||
|| [[SVG:Advisory-SVG-CVE-2020-25211 | Advisory-SVG-CVE-2020-25211]] || HIGH || Fixed ||
|-
|-




|-
|  2020-11-06, updated 2021-03-23 ||  DPM vulnerability allowing file deletion
|| [[SVG:Advisory-SVG-2020-16935 | Advisory-SVG-2020-16935]] || Critical || Fixed ||
|-


|-
|  2021-01-15, updated 2021-03-22 ||  2 HTCondor Vulnerabilities affecting a limited number of versions.
|| [[SVG:Advisory-SVG-2021-17030 | Advisory-SVG-2021-17030]] || Critical || Fixed ||
|-


|-
|-
2019-01-10 updated 2019-01-15, 2019-05-14 ||  systemd-journald vulnerabilities
2021-01-27 ||  sudo privilege escalation vulnerability
  || [[SVG:Advisory-SVG-2019-15258| Advisory-SVG-2019-15258 ]] || Up to Critical ||Heads Up ||
|| [[SVG:Advisory-SVG-CVE-2021-3156 | Advisory-SVG-CVE-2021-3156]] || Critical || Fixed ||
|-
|  2020-11-19 updated 2020-11-25, 2021-01-14 ||  Vulnerability concerning dCache
|| [[SVG:Advisory-SVG-2020-16939 | Advisory-SVG-2020-16939]] || Critical || Fixed ||
|-
|-
|}
|}


Line 64: Line 72:


Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.
Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.
Earlier Advisories:  [[SVG:Advisories-SVG-2020 | Advisories from 2020]]
Earlier Advisories:  [[SVG:Advisories-SVG-2019 | Advisories from 2019]]


Earlier Advisories:  [[SVG:Advisories-SVG-2018 | Advisories from 2018]]
Earlier Advisories:  [[SVG:Advisories-SVG-2018 | Advisories from 2018]]

Revision as of 13:18, 22 June 2021

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisories


All advisories which are disclosed publicly by SVG are placed on this wiki.

All advisories which are disclosed publicly by SVG are subject to the Creative commons licence CC-BY 4.0. including crediting the EGI https://www.egi.eu/ Software Vulnerability Group.

A guide to the risk categories is available at Notes On Risk

SVG also provides information that may be useful to various sites concerning the various SVG Speculative execution vulnerabilities


Date Title Contents/Link Risk Status
2021-06-08, updated 2021-06-22 VOMS-Admin vulnerability Advisory-SVG-2021-17010 HIGH Fixed
2021-06-22 Singularity vulnerabilities Advisory-SVG-CVE-2021-32635 Fixed
2021-05-18, updated 2021-06-16 vulnerability concerning SLURM Advisory-SVG-CVE-2021-31215 HIGH Fixed
2021-03-17, updated 2021-04-19, 2021-05-12 Local Privilege Escalation via iSCSI Advisory-SVG-CVE-2021-27365 CRITICAL Fixed
2021-05-12, updated 2021-06-03 Squid Vulnerability Advisory-SVG-2021-17247 HIGH Fixed
2021-01-06, updated2021-03-22, 2021-04-06 Linux Kernel release fixing various software vulnerabilities Advisory-SVG-CVE-2020-25211 HIGH Fixed
2020-11-06, updated 2021-03-23 DPM vulnerability allowing file deletion Advisory-SVG-2020-16935 Critical Fixed
2021-01-15, updated 2021-03-22 2 HTCondor Vulnerabilities affecting a limited number of versions. Advisory-SVG-2021-17030 Critical Fixed
2021-01-27 sudo privilege escalation vulnerability Advisory-SVG-CVE-2021-3156 Critical Fixed
2020-11-19 updated 2020-11-25, 2021-01-14 Vulnerability concerning dCache Advisory-SVG-2020-16939 Critical Fixed

EGI SVG produces advisories according to the EGI Software Vulnerability Issue Handling Process , which was revised in 2017 and approved by the EGI OMB in November 2017.

Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC-hub services.

Earlier Advisories: Advisories from 2020

Earlier Advisories: Advisories from 2019

Earlier Advisories: Advisories from 2018

Earlier Advisories: Advisories from 2017

Earlier Advisories: Advisories from 2016

Earlier Advisories: Advisories from 2014 and 2015

In the past (up to the end of 2015) CSIRT also issued general alerts at https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts and EGI SVG advisories primarily concerned gLite Middleware.

Earlier Advisories: Advisories from 2011 to 2013


Advisories from prior to 2011 Gridpp Advisories Archive