Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-2011-3235"

From EGIWiki
Jump to navigation Jump to search
 
Line 69: Line 69:


The official repository for the distribution of grid middleware for EGI sites is  
The official repository for the distribution of grid middleware for EGI sites is  
repository.egi.eu which contains the EGI Unified Middleware Distrbution (UMD).
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).




Line 110: Line 110:
           under way
           under way
2011-12-09 Software providers responded and involved in investigation
2011-12-09 Software providers responded and involved in investigation
2012-01-10 Establised that there is definately a problem  
2012-01-10 Established that there is definitely a problem  
2012-04-04 Updated packages available EGI UMD
2012-04-04 Updated packages available EGI UMD
2012-04-04 Public disclosure
2012-04-04 Public disclosure

Latest revision as of 13:16, 4 April 2012

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2011-3235



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


EGI SVG   ADVISORY [EGI-SVG-2011-3235] 

Title:       BDII Predictable passwords
Date:        2012-04-02
Updated:     

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-3235

Introduction
============

It has been found that the BDII [R1] password is predictable when installing
the EMI top level BDII. 

This has now been resolved. 

Details
=======

A previous vulnerability in BDII was found for which the EGI issued an advisory at
[R 2] and it was stated that it only applied to gLite 3.2  

However, this was found to also partially apply to the EMI version of BDII.
The BDII password is predictable and not changed to a random value. 

This has now been resolved in EMI and in the EGI UMD.  


Risk Category
=============

This issue was not individually assessed as it was a partial failure to
resolve issue described at https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1414


Affected Software
=================

This vulnerability was found in BDII 5.2.5-2 

The problem is fixed in BDII 5.2.7 released as part of EMI-1 Update 13 and is 
available in UMD 1.6.0



Mitigation
==========

No Mitigation is recommended.


Component Installation information
==================================


Release UMD-1.6.0 

http://repository.egi.eu/2012/04/02/release-umd-1-6-0/


The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).


http://repository.egi.eu/category/umd_releases/distribution/umd_1 


Recommendations
===============
 
Sites are recommended to update relevant components.


Credit
======

This vulnerability was reported by Lukasz Flis


References
==========


[R 1] https://twiki.cern.ch/twiki/bin/view/EGEE/BDII

[R 2] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-1414

[R 3] http://repository.egi.eu/category/umd_releases/distribution/umd_1/

[R 4] http://www.eu-emi.eu/emi-1-kebnekaise

[R 5] http://repository.egi.eu/2012/04/02/release-umd-1-6-0/


Timeline  
========
Yyyy-mm-dd

2011-11-30 Possible Vulnerability discussed in e-mail by Lukasz Flis
2011-12-08 Vulnerability entered into SVG issue handling process and investigation
           under way
2011-12-09 Software providers responded and involved in investigation
2012-01-10 Established that there is definitely a problem 
2012-04-04 Updated packages available EGI UMD
2012-04-04 Public disclosure