Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-2013-5331"

From EGIWiki
Jump to navigation Jump to search
 
Line 27: Line 27:
This vulnerability is present in versions distributed in EMI-2, UMD-2, EMI-3 and UMD-3.
This vulnerability is present in versions distributed in EMI-2, UMD-2, EMI-3 and UMD-3.


This problem has been fixed in the version of WMS available in EMI-3 and UMD-3, but not in the version available in EMI-2 and UMD-2.
This problem has been fixed in the version of WMS available in EMI-3 and UMD-3, but not  
in the version available in EMI-2 and UMD-2.




Line 38: Line 39:
The issue is fixed in versions available in EMI-3 and EGI UMD-3.  
The issue is fixed in versions available in EMI-3 and EGI UMD-3.  


This is not fixed in the version available in EMI-2 and UMD-2.
This is not fixed in the version available in EMI-2 and UMD-2, however
It is unclear whether a fix can be made available for the EMI-2 version, for this reason no details on the vulnerability itself will be made available at present.
sites should have migrated from this by now.  
 
It is also noted that the EMI 2 version of WMS does not handle SHA-2 certificates, which will begin to be issued in October 2013.  


It is also noted that the EMI 2 version of WMS does not handle SHA-2
certificates.




Line 98: Line 99:
===============
===============


Sites running versions of WMS directly from EMI-3 should check that the version they are running is up to date, and if it is not update their software as soon as possible. Sites are likely to be running a vulnerable version if they have not updated to the latest version of WMS in EMI-3 since 21st May 2013.
Sites running versions of WMS directly from EMI-3 should check that the version  
they are running is up to date, and if it is not update their software as soon  
as possible. Sites are likely to be running a vulnerable version if they have not  
updated to the latest version of WMS in EMI-3 since 21st May 2013.


Sites running versions of WMS from EGI UMD-3 should update as soon as possible.
Sites running versions of WMS from EGI UMD-3 should update as soon as possible.


For sites running EMI-2 version of WMS, either directly from EMI or from EGI UMD-2 are strongly recommended to carry out a planned migration to the EMI-3 version, either directly from EMI or from EGI UMD 3.  This will eliminate this vulnerability from their sites and help prepare them for the SHA-2 migration which starts in October 2013.
For sites running EMI-2 version of WMS, either directly from EMI or from EGI UMD-2  
are strongly recommended to carry out a planned migration to the EMI-3 version,  
either directly from EMI or from EGI UMD 3.  This will eliminate this vulnerability  
from their sites and help prepare them for the SHA-2 migration which starts in  
October 2013.
    
    
    
    
Line 108: Line 116:
================
================


The ability to impersonate another user puts this vulnerability into the 'high' risk category, however it is not easy to find therefore we are not insisting on a rapid migration from the EMI-2 version of WMS due to this vulnerability. Sites should be aware that this could change if, for example, details of this exploit were to become public.  
The ability to impersonate another user puts this vulnerability into the 'high'  
risk category, however it is not easy to find therefore we are not insisting on  
a rapid migration from the EMI-2 version of WMS due to this vulnerability.  
Sites should be aware that this could change if, for example, details of this  
exploit were to become public.  


Sites will need to migrate away from software which does not support SHA-2 anyway by October if they wish to continue to support all their users. This includes the EMI-2 version of WMS.  
Sites will need to migrate away from software which does not support SHA-2 anyway  
by October 2013 if they wish to continue to support all their users.  
This includes the EMI-2 version of WMS.  


It is also unclear whether we need to now consider the EMI-2 version of WMS as out of security support.  
It is also unclear whether we need to now consider the EMI-2 version of WMS  
as out of security support.  




Line 129: Line 144:
2013-04-10 Acknowledgement from the EGI SVG to the reporter
2013-04-10 Acknowledgement from the EGI SVG to the reporter
2013-04-11 Software providers responded and involved in investigation
2013-04-11 Software providers responded and involved in investigation
2013-04-17 Assessment by the EGI Software Vulnerability Group reported to the software providers
2013-04-17 Assessment by the EGI Software Vulnerability Group reported  
          to the software providers
2013-05-21 Updated packages available in EMI-3
2013-05-21 Updated packages available in EMI-3
2013-06-27 Updated packages available in EGI UMD 3  
2013-06-27 Updated packages available in EGI UMD 3  

Latest revision as of 14:55, 23 June 2014

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2013-5331



** White information - unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG  ADVISORY [EGI-SVG-2013-5331] 

Title:       EGI SVG Advisory 'High' RISK - EMI WMS Impersonation vulnerability.
Date:        2013-06-28
Updated:     2014-06-23  


Only update is to place on public wiki, as sites deploying a vulnerable version 
should have migrated away from this by now.    

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5331


Introduction
============

A vulnerability has been found in WMS which may allow impersonation. 

This vulnerability is present in versions distributed in EMI-2, UMD-2, EMI-3 and UMD-3.

This problem has been fixed in the version of WMS available in EMI-3 and UMD-3, but not 
in the version available in EMI-2 and UMD-2.



Details
=======

A vulnerability has been found in WMS which may allow impersonation.  

The issue is fixed in versions available in EMI-3 and EGI UMD-3. 

This is not fixed in the version available in EMI-2 and UMD-2, however
sites should have migrated from this by now. 

It is also noted that the EMI 2 version of WMS does not handle SHA-2 
certificates. 


Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG


Affected software
=================

For EMI 3 this issue is fixed in  WMS 3.5.1 (glite-wms-interface-3.5.0-8) 

This is available from EMI-3 update 4  (available from 21st May 2013)
and from UMD-3 version 3.1.0  (available from 27th June 2013)

Eariler versions are vulnerable. 


The current EMI 2 version (whether available from the EGI UMD-2 or directly from EMI) 
is vulnerable. 



Mitigation
==========

No mitigation is recommended. 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

Release notes for this version are at:

http://repository.egi.eu/2013/06/26/release-umd-3-1-0/


Sites who wish to install directly from the EMI release should see: 

http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/



Recommendations
===============

Sites running versions of WMS directly from EMI-3 should check that the version 
they are running is up to date, and if it is not update their software as soon 
as possible. Sites are likely to be running a vulnerable version if they have not 
updated to the latest version of WMS in EMI-3 since 21st May 2013.

Sites running versions of WMS from EGI UMD-3 should update as soon as possible.

For sites running EMI-2 version of WMS, either directly from EMI or from EGI UMD-2 
are strongly recommended to carry out a planned migration to the EMI-3 version, 
either directly from EMI or from EGI UMD 3.  This will eliminate this vulnerability 
from their sites and help prepare them for the SHA-2 migration which starts in 
October 2013.
   
  
Other information
================

The ability to impersonate another user puts this vulnerability into the 'high' 
risk category, however it is not easy to find therefore we are not insisting on 
a rapid migration from the EMI-2 version of WMS due to this vulnerability. 
Sites should be aware that this could change if, for example, details of this 
exploit were to become public. 

Sites will need to migrate away from software which does not support SHA-2 anyway 
by October 2013 if they wish to continue to support all their users. 
This includes the EMI-2 version of WMS. 

It is also unclear whether we need to now consider the EMI-2 version of WMS 
as out of security support. 


Credit
======

This vulnerability was reported by Simon Fayer from Imperial College, London. 



Timeline 
========
Yyyy-mm-dd

2013-04-09 Vulnerability reported by Simon Fayer 
2013-04-10 Acknowledgement from the EGI SVG to the reporter
2013-04-11 Software providers responded and involved in investigation
2013-04-17 Assessment by the EGI Software Vulnerability Group reported 
           to the software providers
2013-05-21 Updated packages available in EMI-3
2013-06-27 Updated packages available in EGI UMD 3 
2013-06-28 Advisory sent to sites as 'Amber'
2014-06-23 Advisory placed on public wiki