Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Revision as of 10:10, 6 August 2014 by Cornwall (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Moderate' risk, WMS allows other users to access logging information  
            [SVG EGI-SVG-2013-5346]

Date:        2013-08-06



There was a vulnerability in WMS where users could access other users logging information.

This is information should not be accessible by general users, it is a confidentiality 

This was confrimed as having been fixed some time ago, during 2013. 


There was a file permission problem on the WMS log files which allows users who 
understand how to access other users log files the ability to access other users 
log files.

This is considered to be a vulnerability, as logging information should not be 
accessible by general users.

EGI cannot guarantee confidentiality, and users VOs and NGIs are generally aware that
general usage is not confidential. In particular, log files are accessible by site 
administrators across the Grid.

Risk category

This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team.

Affected software


It is certainly fixed in the current version, WMS 3.6.5 and probably some earlier 
versions going back to 3.6.1 which was released in December 2013.   
Versions earlier than 3.6.1 are likely to be vulnerable.

Component installation information

Sites using the EGI UMD 3 should see:

Sites who wish to install directly from the EMI release should see:


Sites are recommended to update to the latest version of WMS in due course if they 

have not already done so in due course. 


This vulnerability was reported by Sven Gabriel 

Other information

The risk category reflects the fact that EGI takes confidentiality seriously. 

EGI's usage of Logging information is stated as point 9 in the EGI Acceptable
Use Policy [R 1] 

It is difficult to ascertain whether other middleware allows users access to other
users log files. If any further cases are found, they will be treated as vulnerabilities.

[R 1] The EGI Acceptable Use Policy (AUP)


2013-04-09 Vulnerability reported by Sven Gabriel
2013-04-09 Acknowledgement from the EGI SVG to the reporter
2013-04-18 Separated from other issue, by Sven Gabriel
2013-05-16 Discussed at SVG monthly meeting. Agreed it is a vulnerability.
2013-06-18 Assessment by the EGI Software Vulnerability Group reported to the software providers
2013-??-?? Updated packages available in the EGI UMD. 
2014-08-04 Asked for confirmation that this has been fixed. Stated fixed quite some time ago
2014-08-06 Public disclosure