Difference between revisions of "SVG:Advisory-SVG-2011-1414"
Jump to navigation
Jump to search
(Created page with '<<svg-header>> <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions…') |
(No difference)
|
Revision as of 16:41, 15 November 2011
<<svg-header>>
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2011-1414] Title: Moderate Risk: BDII file permission and passwords Date: 2011-03-09 Updated: 2011-10-21, 2011-11-15 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1414 Introduction ============ This advisory is being issued because a vulnerability in BDII [R1] has been found which may allow an authorized user to gain password information from a BDII configuration file. This problem has been reported to the EGI Software Vulnerability Group (SVG). Only gLite 3.2 services are affected. Details ======= The Berkeley Database Information Index (BDII) is used to provide information on services and resources in the EGI Grid environment. One of the configuration files which contains passwords for the database has been found to have the wrong file permissions by default, and it is possible that authorized users may be able to read this and modify the Information Service database. Also, on configuration of the BDII the site administrator is not forced to change the password from the default. If the password is known and a given BDII is accessible, its contents can be modified remotely. The affected gLite 3.2 services include the top-level BDII, the site BDII and every service with a resource BDII. That is, every service containing the bdii rpm. Risk Category ============= This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team (RAT). Affected Software ================= glite-yaim-core <= 4.0.14-1 For BDII version 5.0.x, versions earlier than 5.0.10 are affected, the problem was resolved in 5.0.10. For BDII version 5.1.x, versions earlier than 5.1.23 are affected, the problem was resolved in 5.1.23. Affected versions are only present in gLite 3.2. EMI and the EGI UMD contain newer, non-vulnerable versions of BDII. In ARC the BDII is managed differently and was found not to be vulnerable.