The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2011-504"
Jump to navigation
Jump to search
| Line 2: | Line 2: | ||
<pre> | <pre> | ||
Updated 26th January 2012 - Patch available on 24th January 2012 for gLite 3.2. | |||
Updated | |||
** WHITE information - Unlimited distribution allowed ** | ** WHITE information - Unlimited distribution allowed ** | ||
| Line 15: | Line 14: | ||
Updated: 2011-12-21 | Updated: 2011-12-21 | ||
Updated: 2012-01-24 | Updated: 2012-01-24 | ||
Updated 2012-01-26 | |||
Introduction | Introduction | ||
============ | ============ | ||
A vulnerability has been found in the APEL accounting publisher software, which may allow users | A vulnerability has been found in the APEL accounting publisher software, which may allow | ||
to make a copy of the host key of the system on which APEL is running. | users to make a copy of the host key of the system on which APEL is running. | ||
This problem has been resolved in the EGI UMD and EMI distributions released. | This problem has been resolved in the EGI UMD and EMI distributions released. | ||
| Line 29: | Line 29: | ||
======= | ======= | ||
There is a file permission problem in APEL which may allow users to make a copy of the host key, | There is a file permission problem in APEL which may allow users to make a copy of the host | ||
this is only a problem if APEL is co-located on another service accessible by the user, such as a CE. | key, this is only a problem if APEL is co-located on another service accessible by the | ||
user, such as a CE. | |||
| Line 41: | Line 42: | ||
Affected Software | Affected Software | ||
================= | ================= | ||
For EMI/UMD versions | |||
-------------------- | |||
APEL-publisher versions earlier than version. 3.2.8, containing | APEL-publisher versions earlier than version. 3.2.8, containing | ||
| Line 46: | Line 50: | ||
APEL-publisher version. 3.2.8, containing glite-apel-publisher-2.0.16-0 | APEL-publisher version. 3.2.8, containing glite-apel-publisher-2.0.16-0 | ||
provides the fix for this issue | provides the fix for this issue. | ||
The Fixed version is available in | The Fixed version is available in | ||
| Line 55: | Line 59: | ||
gLite 3.2 | gLite 3.2 | ||
--------- | |||
APEL-publisher versions earlier than glite-apel-publisher-2.0.13-8 are affected | |||
glite-apel-publisher-2.0.13-8 provides the fix for this issue. | |||
This is available from: | |||
http://glite.cern.ch/security_updates | http://glite.cern.ch/security_updates | ||
| Line 72: | Line 82: | ||
================================== | ================================== | ||
The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distrbution | The official repository for the distribution of grid middleware for EGI sites is | ||
repository.egi.eu which contains the EGI Unified Middleware Distrbution (UMD). | |||
(UMD). | |||
Sites using the EGI UMD should see: | Sites using the EGI UMD should see: | ||
| Line 81: | Line 90: | ||
Sites installing directly from EMI may upgrade directly from EMI if they | Sites installing directly from EMI may upgrade directly from EMI if they haven't done so already see: | ||
haven't done so | |||
already see: | |||
EMI-1 site http://www.eu-emi.eu/emi-1-kebnekaise, details of this item are at: | EMI-1 site http://www.eu-emi.eu/emi-1-kebnekaise, details of this item are at: | ||
| Line 93: | Line 99: | ||
gLite 3.2: | gLite 3.2: | ||
gLite 3.2 Security Update 2 | gLite 3.2 Security Update 2 available from | ||
http://glite.cern.ch/security_updates | |||
| Line 104: | Line 112: | ||
Sites installing gLite 3.2 should update in due course. | Sites installing gLite 3.2 should update in due course. | ||
If sites are have APEL co-located with another service they should consider upgrading soon or following the Mitigation. | If sites are have APEL co-located with another service they should consider upgrading soon | ||
or following the Mitigation. | |||
| Line 110: | Line 119: | ||
================= | ================= | ||
This advisory has been updated on 24th January 2012 and made public as the problem is now also resolved in gLite 3.2. | This advisory has been updated on 24th January 2012 and made public as the problem is now | ||
also resolved in gLite 3.2. | |||
Credit | Credit | ||
| Line 126: | Line 136: | ||
2010-11-15 Acknowlegement from the EGI SVG to the reporter | 2010-11-15 Acknowlegement from the EGI SVG to the reporter | ||
2010-11-15 Software providers responded and involved in investigation | 2010-11-15 Software providers responded and involved in investigation | ||
2010-11-23 Assessment by the EGI Software Vulnerability Group reported to the | 2010-11-23 Assessment by the EGI Software Vulnerability Group reported to the software providers | ||
software providers | |||
2011-10-12 Issue found and reported again independently by Jan Astalos | 2011-10-12 Issue found and reported again independently by Jan Astalos | ||
2011-11-24 Updated packages available in EMI | 2011-11-24 Updated packages available in EMI | ||
| Line 134: | Line 142: | ||
2011-12-21 Advisory distributed to site and NGI security contacts. | 2011-12-21 Advisory distributed to site and NGI security contacts. | ||
2012-01-24 Advisory updated and uploaded to web page as it is now also resolved in gLite 3.2 | 2012-01-24 Advisory updated and uploaded to web page as it is now also resolved in gLite 3.2 | ||
2012-01-26 Update to correct Affected software EMI/UMD version and gLite 3.2 version of | |||
gLite publisher | |||
</pre> | </pre> | ||
Latest revision as of 13:47, 26 January 2012
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2011-504
Updated 26th January 2012 - Patch available on 24th January 2012 for gLite 3.2.
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2011-504]
Title: APEL publisher vulnerability - 'Low' RISK
Date: 2011-11-18
Updated: 2011-12-21
Updated: 2012-01-24
Updated 2012-01-26
Introduction
============
A vulnerability has been found in the APEL accounting publisher software, which may allow
users to make a copy of the host key of the system on which APEL is running.
This problem has been resolved in the EGI UMD and EMI distributions released.
This advisory is updated as it is now also resolved in gLite3.2.
Details
=======
There is a file permission problem in APEL which may allow users to make a copy of the host
key, this is only a problem if APEL is co-located on another service accessible by the
user, such as a CE.
Risk Category
=============
This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team
Affected Software
=================
For EMI/UMD versions
--------------------
APEL-publisher versions earlier than version. 3.2.8, containing
glite-apel-publisher-2.0.16-0, are affected.
APEL-publisher version. 3.2.8, containing glite-apel-publisher-2.0.16-0
provides the fix for this issue.
The Fixed version is available in
UMD 1.4 (or later)
EMI EMI 1 (Kebnekaise) - Update 10 (24.11.2011)
gLite 3.2
---------
APEL-publisher versions earlier than glite-apel-publisher-2.0.13-8 are affected
glite-apel-publisher-2.0.13-8 provides the fix for this issue.
This is available from:
http://glite.cern.ch/security_updates
Update 2
Mitigation
==========
If APEL is co-located with another service (e.g. a CE) then sites may wish to
check and change the file permission on the /etc/grid-security/ keystore if necessary.
This should be carried out by sites who are not planning to upgrade shortly.
Component Installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distrbution (UMD).
Sites using the EGI UMD should see:
http://repository.egi.eu/2011/12/19/apel-publisher-3-2-8/
Sites installing directly from EMI may upgrade directly from EMI if they haven't done so already see:
EMI-1 site http://www.eu-emi.eu/emi-1-kebnekaise, details of this item are at:
http://www.eu-emi.eu/emi-1-kebnekaise-updates/-/asset_publisher/Ir6q/content/update-10-24-11-2011#APEL_publisher_v_3_2_8_task_2390
gLite 3.2:
gLite 3.2 Security Update 2 available from
http://glite.cern.ch/security_updates
Recommendations
===============
Sites installing from the EGI UMD or directly from EMI should update their sites in due course.
Sites installing gLite 3.2 should update in due course.
If sites are have APEL co-located with another service they should consider upgrading soon
or following the Mitigation.
Other information
=================
This advisory has been updated on 24th January 2012 and made public as the problem is now
also resolved in gLite 3.2.
Credit
======
This vulnerability was reported by Valentin Vidic and later independently by Jan Astalos.
Timeline
========
Yyyy-mm-dd
2010-11-15 Vulnerability reported by Valentin Vidic
2010-11-15 Acknowlegement from the EGI SVG to the reporter
2010-11-15 Software providers responded and involved in investigation
2010-11-23 Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-10-12 Issue found and reported again independently by Jan Astalos
2011-11-24 Updated packages available in EMI
2011-12-19 Updated version in EGI UMD.
2011-12-21 Advisory distributed to site and NGI security contacts.
2012-01-24 Advisory updated and uploaded to web page as it is now also resolved in gLite 3.2
2012-01-26 Update to correct Affected software EMI/UMD version and gLite 3.2 version of
gLite publisher