Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2011-1866

From EGIWiki
Revision as of 14:56, 28 July 2011 by Cornwall (talk | contribs) (Created page with '{{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictio…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2011-1866



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI SVG   ADVISORY [EGI-SVG-2011-1866] 

Title:       Low Risk - VOMS file vulnerability 
Date:        2011-06-20
Updated:     2011-07-14


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1866

Introduction
============


A Vulnerability has found in the VOMS server which allows the overwriting of files.

This vulnerability is not applicable in VOMS 2.0 as available from the EMI release
and the EGI UMD release. 


Details
=======

A vulnerability has been found which allows anyone with an account on the VOMS server
to overwrite files on the VOMS server.   

This problem does not occur in VOMS 2.0 as available from the EMI release and the EGI UMD
release. 

This vulnerability is only exploitable by anyone with an account on the same host
as the VOMS server, which should not be the case. 



Risk Category
=============

This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team.  


Affected Software
=================

All versions of VOMS prior to VOMS 2.0. 


Mitigation
==========

N/A

Component Installation information
==================================



<e.g. pointer to UMD release >


Recommendations
===============

Sites should upgrade to VOMS version 2.0 as available in EMI or the EGI UMD in due course.

Sites are reminded that user accounts and/or other user access should not be in place on the 

same host as the VOMS server.  Access to the VOMS server should be restricted to local site 
administrators. 

Credit
======

This vulnerability was reported by Steve Traylen. 


References
==========




Timeline  
========
Yyyy-mm-dd

2011-05-09 Vulnerability reported by Steve Traylen.
2011-05-09 Acknowlegement from the EGI SVG to the reporter
2011-05-09 Software providers responded and involved in investigation
2011-05-11 Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-05-11 Confirmation from Software providers that this is not a problem in VOMS 2.0 available
           in EMI.
2011-07-12 Updated packages available in the EGI UMD
2011-07-28 Public disclosure
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2011-1866&oldid=22291"