Difference between revisions of "SVG:Advisory-SVG-2011-3094"
Jump to navigation
Jump to search
imported>Cornwall |
|
(No difference)
|
Latest revision as of 12:54, 26 January 2012
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2011-3094
Update 26th January 2012 - fix for gLite 3.2 released on 24th January. ** White information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2011-3904] Title: High Risk - Torque Munge Impersonation vulnerability Date: 2011-12-21 Updated: 2012-01-24 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-3094 Introduction ============ A vulnerability has been found in Torque which may allow users to impersonate other users. This has been fixed in the version of Torque in EPEL, and it is recommended that sites using EMI and UMD upgrade to a fixed version of Torque from the EPEL site. This advisory has been updated as a fixed version of Torque is now available in gLite 3.2. Details ======= Torque server does not properly check user credentials in the case where Munge is present. In some situations one user may be able to impersonate another user and perform actions inlcuding submitting a job. Full details of the vulnerability are now available on the RedHat Bugzilla [R 1] Risk Category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected Software ================= For EPEL, versions of Torque in EPEL prior to: torque-2.5.7-7.el4 torque-2.5.7-7.el5 torque-2.5.7-9.el6 may be affected. Component Installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distrbution (UMD). A patch is now available from RedHat EPEL this is appropriate for use of sites installing from the EGI UMD and sites installing directly from the EMI distribution. They are detailed fully in the release notes: https://admin.fedoraproject.org/updates/torque-2.5.7-7.el4 https://admin.fedoraproject.org/updates/torque-2.5.7-7.el5 https://admin.fedoraproject.org/updates/torque-2.5.7-9.el6 A patch is also available for sites installing from gLite 3.2 gLite 3.2: http://glite.cern.ch/security_updates gLite 3.2 Security Update 2 It should be noted that the above versions require Munge [R2], both on the WN for the torque-client as well as the server. Some notes on Munge installation and configuration (from EPEL5 earlier version of Torque): The updated EPEL5 build of torque-2.5.7-1 and later as compared to previous versions enables munge as an inter node authentication method. It is highly advisable that prior to upgrading to version 2.5.7-1 or later of this torque package that munge is installed and enabled. A munge package is available within EPEL5. https://admin.fedoraproject.org/community/?package=munge#package_maintenance To enable munge on your torque cluster: * Install the munge package on your pbs_server and submission hosts in your cluster. * On one host generate a key with /usr/sbin/create-munge-key * Copy the key, /etc/munge/munge.key to your pbs_server and submission hosts on your cluster. * Start the munge daemon on these nodes.. service munge start && chkconfig munge on Recommendations =============== It is recommended that sites installing from EMI or the EGI UMD update Torque from the Redhat EPEL site as soon as possible if they have not done so already. Sites installing gLite 3.2 should update as soon as possible from if they did not update from: http://software.nikhef.nl/temporary/torque-patch-5169/rhel5/RPMS/ earlier. Credit ====== This vulnerability was reported by Adam Smutnicki and Lukasz Flis References ========== [R 1] https://bugzilla.redhat.com/show_bug.cgi?id=752079 [R 2] http://code.google.com/p/munge/ Timeline ======== Yyyy-mm-dd 2011-11-03 Vulnerability reported by Adam Smutnicki and Lukasz Flis 2011-11-03 Acknowledgement from the EGI SVG to the reporter 2011-11-08 Risk Assessment complete and Issue reported as EPEL bug. 2011-12-20 Patch available from EPEL 2011-12-21 Advisory released to community 2012-01-24 gLite 3.2 update available, advisory released publicly For the EGI SVG,