Difference between revisions of "SVG:Advisory-SVG-2013-5560"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Placeholder for 5560 - this advisory has not been released yet. </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
** WHITE information - Unlimited distribution allowed ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2013-5560] | |||
Title: EGI SVG Advisory 'Moderate' RISK - glite_wms_wmproxy_dirmanager allows | |||
any user to change the permissions on any directory [SVG EGI-SVG-2013-5560] | |||
Date: 2014-08-06 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5560 | |||
Introduction | |||
============ | |||
A vulnerability was found in glite_wms_wmproxy_dirmanager where any user is allowed | |||
to change directory permissions. | |||
This has been resolved in the version available in the EGI UMD some time ago. | |||
Details | |||
======= | |||
glite_wms_wmproxy_dirmanager allows any user to create a directory, with any permissions. | |||
It also allows permissions on any existing directory too be changed. | |||
Note that users cannot execute code on the WMS. | |||
This applies to older versions available EMI-3/UMD-3. | |||
This has neem resolved some time ago. | |||
Risk category | |||
============= | |||
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team. | |||
Affected software | |||
================= | |||
This is fixed in glite-wms-interface-3.6.2-1 which was released as part of WMS 3.6.2. | |||
Earliest fixed version in the UMD likely to be WMS 3.6.3 released in April 2014. | |||
All versions of glite-wms-wmproxy-dirmanager prior to this are likely to be affected. | |||
Component installation information | |||
================================== | |||
The official repository for the distribution of grid middleware for EGI sites is | |||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD 3 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | |||
Sites who wish to install directly from the EMI release should see: | |||
http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ | |||
Recommendations | |||
=============== | |||
Sites are recommended to update to the latest version of WMS in due course if they | |||
have not already done so in due course. | |||
Credit | |||
====== | |||
This vulnerability was reported by Simon Fayer from Imperial College, London. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2013-05-22 Vulnerability reported by Simon Fayer. | |||
2013-05-22 Acknowledgement from the EGI SVG to the reporter | |||
2013-06-20 Assessment by the EGI Software Vulnerability Group reported to the software | |||
providers | |||
2014-04-07 Updated packages available in the EGI UMD | |||
2014-08-04 Asked for confirmation that this has been fixed. | |||
2014-08-06 Public disclosure | |||
</pre> | </pre> |
Latest revision as of 10:12, 6 August 2014
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2013-5560
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2013-5560] Title: EGI SVG Advisory 'Moderate' RISK - glite_wms_wmproxy_dirmanager allows any user to change the permissions on any directory [SVG EGI-SVG-2013-5560] Date: 2014-08-06 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5560 Introduction ============ A vulnerability was found in glite_wms_wmproxy_dirmanager where any user is allowed to change directory permissions. This has been resolved in the version available in the EGI UMD some time ago. Details ======= glite_wms_wmproxy_dirmanager allows any user to create a directory, with any permissions. It also allows permissions on any existing directory too be changed. Note that users cannot execute code on the WMS. This applies to older versions available EMI-3/UMD-3. This has neem resolved some time ago. Risk category ============= This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team. Affected software ================= This is fixed in glite-wms-interface-3.6.2-1 which was released as part of WMS 3.6.2. Earliest fixed version in the UMD likely to be WMS 3.6.3 released in April 2014. All versions of glite-wms-wmproxy-dirmanager prior to this are likely to be affected. Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ Sites who wish to install directly from the EMI release should see: http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/ Recommendations =============== Sites are recommended to update to the latest version of WMS in due course if they have not already done so in due course. Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. Timeline ======== Yyyy-mm-dd 2013-05-22 Vulnerability reported by Simon Fayer. 2013-05-22 Acknowledgement from the EGI SVG to the reporter 2013-06-20 Assessment by the EGI Software Vulnerability Group reported to the software providers 2014-04-07 Updated packages available in the EGI UMD 2014-08-04 Asked for confirmation that this has been fixed. 2014-08-06 Public disclosure