Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

Difference between revisions of "SVG:Advisory-SVG-2014-7009"

From EGIWiki
Jump to navigation Jump to search
(No difference)

Latest revision as of 13:43, 5 August 2014

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Moderate' RISK Remote access to dCache 
              configuration information  [SVG EGI-SVG-2014-7009]

Date:        2014-08-05 



A vulnerability has been found in dCache [R 1] by the dCache team which allows remote 
access to the dCache configuration information.

This has been resolved both in versions of dcache available on the dcache site and 
in the EGI UMD repository.


This vulnerability is confirmed to exist in the software and be exploitable in principle 
by anyone with no credentials.  It was found that sites in EGI were
all configured in ways which made it not possible to actually exploit this vulnerability. 
The vulnerability should not be in the software, hence it has been fixed in the UMD. 

Risk category

This issue has been assessed as 'Moderate'  risk by the EGI SVG Risk Assessment Team.

Affected software


Affected versions of dCache are:

v2.6.0 through to v2.6.26 (inclusive),
v2.7.0 through to v2.7.8 (inclusive),
v2.8.0 through to v2.8.5 (inclusive),
v2.9.0 through to v2.9.1 (inclusive).

Unaffected (fixed) versions of dCache are

v2.2.0 and later v2.2 releases,
v2.6.27 and later v2.6 releases,
v2.7.9 and later v2.7 releases,
v2.8.6 and later v2.8 releases,
v2.9.2 and later v2.9 releases.
all subsequent feature releases.
Note that v2.6.28 in UMD-3.8.0 is the latest version in the EGI UMD and this has 
the vulnerability resolved. 


No sites were found to be configured in a vulnerable manner, so we do not include 
mitigation information. 

Component installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD 3 should see:

Not vulnerable version of dcache in UMD-3.8.0

Sites installing from EMI should see using

A fixed version is in EMI 3 update 17. 

Sites may also install directly from the dCache site. [R 1]


Sites are recommended to update relevant components in due course.


SVG was alerted to this vulnerability by Patrick Fuhrmann from dCache 


[R 1]


2014-05-14 Vulnerability reported by Patrick Fuhrmann  
2014-05-14 Acknowledgement from the EGI SVG to the reporter
2014-05-14 Fixed version of the software available on the dCache site
2014-05-16 Confirmed that due to the manner in which sites in EGI are configured
           no sites are currently known to be vulnerable.
2014-05-16 Assessment by the EGI Software Vulnerability Group reported to the software
2014-07-24 Updated packages available in the EGI UMD.
2014-08-05 Public disclosure