https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2014-6884&feed=atom&action=historySVG:Advisory-SVG-2014-6884 - Revision history2024-03-28T13:27:16ZRevision history for this page on the wikiMediaWiki 1.37.1https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2014-6884&diff=108051&oldid=previmported>Cornwall: Created page with " {{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restri..."2014-04-10T15:22:48Z<p>Created page with " {{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restri..."</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:22, 10 April 2014</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>imported>Cornwallhttps://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2014-6884&diff=66553&oldid=prevCornwall: Created page with " {{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restri..."2014-04-10T15:22:48Z<p>Created page with " {{svg-header}} <pre> ** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restri..."</p>
<p><b>New page</b></p><div> <br />
{{svg-header}}<br />
<br />
<pre><br />
<br />
<br />
** WHITE information - Unlimited distribution allowed ** <br />
<br />
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **<br />
<br />
<br />
EGI SVG ADVISORY [EGI-SVG-2014-6884] <br />
<br />
Title: EGI SVG Advisory 'CRITICAL' RISK - WN and UI tarballs in the EMI repository <br />
contain a version of OpenSSL vulnerable to CVE-2014-016 [SVG EGI-SVG-2014-6884]<br />
<br />
Date: 2014-04-10<br />
Updated: <br />
<br />
<br />
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-6884<br />
<br />
Introduction<br />
============<br />
<br />
EGI CSIRT has already issued an alert concerning CVE-2014-0160 for the OpenSSL Heartbleed <br />
vulnerability [R 1] on 8th April 2014 with updates on 9th April 2014. <br />
<br />
This advisory concerns a specific occurance of the vulnerable version of OpenSSL in the <br />
EMI-3 repository. <br />
<br />
It is only relevant to sites who install the EMI WN or the UI from tarballs provided in <br />
the EMI repository. <br />
<br />
It is also only relevant to sites who include the 'os-extras' along with the WN and/or <br />
glite UI tarball. <br />
<br />
<br />
Details<br />
=======<br />
<br />
EGI CSIRT has already issued an alert concerning CVE-2014-0160 for the OpenSSL Heartbleed <br />
vulnerability [R 1] on 8th April 2014 with updates on 9th April 2014.<br />
<br />
A vulnerable version of OpenSSL has since been found in the EMI repository.<br />
<br />
This has been replaced by a non-vulnerable version.<br />
<br />
Sites which use the WN and/or UI tarballs present in the EMI respository may have a <br />
vulnerable version on their systems downloaded from the EMI repository.<br />
<br />
This separate advisory is considered necessary to inform sites that a vulnerable <br />
version of OpenSSL WAS in the EMI repository, but has been replaced by a <br />
non-vulnerable version. <br />
<br />
Whether sites get their OpenSSL from the EMI repository or elsewhere they need <br />
to ensure they are not running a vulnerable version. <br />
<br />
<br />
Risk category<br />
=============<br />
<br />
This issue has been assessed as 'Critical' risk by the EGI CSIRT and EGI SVG <br />
Risk Assessment Team. This has been previously reported. <br />
<br />
<br />
Affected software<br />
=================<br />
<br />
Tarballs for the gLite WN and UI available in the EMI repository for SL6.<br />
<br />
The vulnerable version of OpenSSL was found in:--<br />
<br />
emi-wn-3.7.1-1_v2.sl6 and<br />
emi-ui-3.7.1-1_v2.sl6<br />
<br />
This is fixed in version:-- <br />
<br />
emi-wn-3.7.3-1_v1.sl6 and<br />
emi-ui-3.7.3-1_v1.sl6 <br />
<br />
Earlier versions may also be vulnerable. <br />
<br />
Note that SL5 versions are not affected. <br />
<br />
<br />
Mitigation<br />
==========<br />
<br />
N/A. <br />
<br />
<br />
Component installation information<br />
==================================<br />
<br />
The fixed versions are as follows: <br />
<br />
<br />
Sl6 WN:<br />
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-wn/emi-wn-3.7.3-1_v1.sl6.tgz<br />
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-wn/emi-wn-3.7.3-1_v1.sl6.os-extras.tgz <br />
<br />
<br />
SL6 UI:<br />
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-ui/emi-ui-3.7.3-1_v1.sl6.tgz<br />
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-ui/emi-ui-3.7.3-1_v1.sl6.os-extras.tgz<br />
<br />
Only sites that use the "os-extras" from this repository will have the vulnerable OpenSSL downloaded <br />
from the EMI repository in their tarball area from this source.<br />
Others will need to upgrade OpenSSL if they have not done so anyway. <br />
<br />
<br />
For further information see the Tarball wiki page [R 2]<br />
<br />
<br />
You may also contact the Tarball support list tarball-grid-support@cern.ch <br />
if you have any questions.<br />
<br />
<br />
<br />
Recommendations<br />
===============<br />
<br />
All running resources MUST be either patched or otherwise temporarily removed <br />
from service as soon as possible, and at the latest by by 2014-04-15 T21:00+01:00. <br />
Sites failing to act and/or failing to respond to requests from the EGI CSIRT <br />
team risk site suspension. <br />
<br />
This is considered to be part of the same campaign to eliminate CVE-2014-0160 <br />
as described in [R 1]. <br />
<br />
<br />
Credit<br />
======<br />
<br />
SVG alerted to the vulnerable version of OpenSSL being present in the EMI repository <br />
by Matt Doidge, who also resolved this.<br />
<br />
<br />
References<br />
==========<br />
<br />
[R 1] https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/OpenSSL-2014-04-08<br />
<br />
[R 2] https://www.sysadmin.hep.ac.uk/wiki/EMI3Tarball#Downloading<br />
<br />
<br />
Timeline<br />
========<br />
Yyyy-mm-dd<br />
<br />
2014-04-09 SVG alerted to this problem by Matt Doidge. <br />
2014-04-09 Acknowledgement from the EGI SVG to the reporter<br />
2014-04-09 It was decided as it concerns middleware SVG should issue a <br />
separate advisory to the general one concerning OpenSSL. <br />
2014-04-10 Software providers (also Matt Doidge) provided a new version. <br />
2014-04-10 Advisory issued<br />
2014-04-10 Public disclosure<br />
<br />
<br />
</pre></div>Cornwall