Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2013-5615

From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2013-5615



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2013-5615] 

Title:       EGI SVG Advisory 'Moderate' RISK - Incorrect permission for APEL 
              parser and client config 
Date:        2013-08-17
Updated:     <date  yyyy-mm-dd>

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-5615

Introduction
============

A file permission vulnerability has been found in EMI-3 and UMD-3 versions of 
APEL which may allow users to modify the APEL configuration. 

This has been fixed in the latest version of the  EMI-3 distribution, available 
directly  from EMI or from EGI UMD-3. 


Details
=======

A file permission vulnerability has been found in EMI-3 and UMD-3 versions of 
APEL which may allow users to modify the APEL configuration. 

The version of APEL available in UMD-2 is not affected. 


Risk category
=============

This issue has been assessed as 'Moderate'  risk by the EGI SVG Risk Assessment Team  


Affected software
=================

This is fixed in EMI-3 version APEL version 1.1.2-0 , available either directly from
EMI or from the EGI UMD-3. 

Versions of APEL available in EGI UMD-3 prior to version are affected.

Versions of APEL in EMI-2 and UMD-2 are not affected. 


Mitigation
==========

If sites do not wish to upgrade the site admin may enter the command:

chmod 600 /etc/apel/db.cfg



Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).


Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

Sites who wish to install directly from the EMI release should see: 


http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/



Recommendations
===============

Sites running the version of APEL from EMI-3/UMD-3 are recommended to update 
their relevant components.

If they prefer, they may carry out the mitigation. 


Credit
======

This vulnerability was reported by Franciszek Klajn. 


Timeline  
========
Yyyy-mm-dd

2013-05-27 Vulnerability reported by Franciszek Klajn.
2013-05-28 Acknowledgement from the EGI SVG to the reporter
2013-05-29 Software providers responded and involved in investigation
2013-06-14 Software providers made a fix available prior to integration in EMI-3/EGI UMD
2013-06-14 Risk set to 'Moderate' 
2013-06-14 Fixed by the development team.  
2013-09-12 Updated packages available in the EGI UMD 3 version 
2013-09-17 Public disclosure