The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:Advisory-SVG-2012-4598"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> The advisory for this issue will be made public when the fixed software has been released in the EGI UMD. </pre>") |
|||
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
The | ** WHITE information - Unlimited distribution allowed ** | ||
in the EGI UMD | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2012-4598] | |||
Title: EGI SVG Advisory 'Moderate' RISK - VOMS Java APIs incorrect CRL checking | |||
Date: 2013-02-19 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-4598 | |||
Introduction | |||
============ | |||
A vulnerability has been found in the VOMS Java APIs where CRL checking | |||
is not correctly carried out. | |||
This has been fixed by the developers and a new version is available | |||
Details | |||
======= | |||
The developers found a problem with the VOMS Java API where the CRL is not correctly checked. | |||
This means that if a VOMS server were to be compromised, | |||
and the appropriate server added to the CRL, VOMS certificates from this | |||
server may still be accepted. | |||
Although it is unlikely that a VOMs server were to be compromised, and this vulnerability is | |||
not exploitable by itself, serious problems would arise if a VOMS server were to be compromised | |||
and the CRL checking was not properly carried out. Hence this problem has been fixed. | |||
Risk category | |||
============= | |||
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment | |||
Team | |||
Affected software | |||
================= | |||
All versions of the VOMS Java API up to and including version 2.0.8. | |||
This is fixed in VOMS version 2.0.10 as available in EMI 1 Update 23 and EMI 2 Update 8. | |||
The package has also been released in EGI UMD-1 Release 1.10.0 | |||
http://repository.egi.eu/2013/02/19/release-umd-1-10-0/ | |||
and UMD-2 Release 2.4.0 | |||
http://repository.egi.eu/2013/02/18/release-umd-2-4-0/ | |||
Component installation information | |||
================================== | |||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd_1/ | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-2/ | |||
Sites installing directly from EMI should see: | |||
http://www.eu-emi.eu/emi-2-matterhorn/updates/ | |||
http://www.eu-emi.eu/emi-1-kebnekaise/updates/ | |||
Recommendations | |||
=============== | |||
Sites are recommended to update relevant components to the VOMS java API 2.0.9 | |||
Credit | |||
====== | |||
This vulnerability was reported by Andrea Ceccanti | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2012-11-06 Vulnerability reported by Andrea Ceccanti stating that the VOMS | |||
team had found this problem and were fixing it | |||
2012-11-07 Acknowledgement from the EGI SVG to the reporter | |||
2012-11-20 Assessment by the EGI Software Vulnerability Group reported to the | |||
software providers | |||
2013-01-28 Updated packages available in the EMI distribution | |||
2013-02-19 Updated packages available in the EGI UMD distributions | |||
2013-02-19 Public disclosure | |||
</pre> | </pre> | ||
Revision as of 17:16, 19 February 2013
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2012-4598
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2012-4598]
Title: EGI SVG Advisory 'Moderate' RISK - VOMS Java APIs incorrect CRL checking
Date: 2013-02-19
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-4598
Introduction
============
A vulnerability has been found in the VOMS Java APIs where CRL checking
is not correctly carried out.
This has been fixed by the developers and a new version is available
Details
=======
The developers found a problem with the VOMS Java API where the CRL is not correctly checked.
This means that if a VOMS server were to be compromised,
and the appropriate server added to the CRL, VOMS certificates from this
server may still be accepted.
Although it is unlikely that a VOMs server were to be compromised, and this vulnerability is
not exploitable by itself, serious problems would arise if a VOMS server were to be compromised
and the CRL checking was not properly carried out. Hence this problem has been fixed.
Risk category
=============
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment
Team
Affected software
=================
All versions of the VOMS Java API up to and including version 2.0.8.
This is fixed in VOMS version 2.0.10 as available in EMI 1 Update 23 and EMI 2 Update 8.
The package has also been released in EGI UMD-1 Release 1.10.0
http://repository.egi.eu/2013/02/19/release-umd-1-10-0/
and UMD-2 Release 2.4.0
http://repository.egi.eu/2013/02/18/release-umd-2-4-0/
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD should see:
http://repository.egi.eu/category/umd_releases/distribution/umd_1/
http://repository.egi.eu/category/umd_releases/distribution/umd-2/
Sites installing directly from EMI should see:
http://www.eu-emi.eu/emi-2-matterhorn/updates/
http://www.eu-emi.eu/emi-1-kebnekaise/updates/
Recommendations
===============
Sites are recommended to update relevant components to the VOMS java API 2.0.9
Credit
======
This vulnerability was reported by Andrea Ceccanti
Timeline
========
Yyyy-mm-dd
2012-11-06 Vulnerability reported by Andrea Ceccanti stating that the VOMS
team had found this problem and were fixing it
2012-11-07 Acknowledgement from the EGI SVG to the reporter
2012-11-20 Assessment by the EGI Software Vulnerability Group reported to the
software providers
2013-01-28 Updated packages available in the EMI distribution
2013-02-19 Updated packages available in the EGI UMD distributions
2013-02-19 Public disclosure