The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-2014-7009
Jump to navigation
Jump to search
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2014-7009
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2014-7009]
Title: EGI SVG Advisory 'Moderate' RISK Remote access to dCache
configuration information [SVG EGI-SVG-2014-7009]
Date: 2014-08-05
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7009
Introduction
============
A vulnerability has been found in dCache [R 1] by the dCache team which allows remote
access to the dCache configuration information.
This has been resolved both in versions of dcache available on the dcache site and
in the EGI UMD repository.
Details
=======
This vulnerability is confirmed to exist in the software and be exploitable in principle
by anyone with no credentials. It was found that sites in EGI were
all configured in ways which made it not possible to actually exploit this vulnerability.
The vulnerability should not be in the software, hence it has been fixed in the UMD.
Risk category
=============
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team.
Affected software
=================
dCache
Affected versions of dCache are:
================================
v2.6.0 through to v2.6.26 (inclusive),
v2.7.0 through to v2.7.8 (inclusive),
v2.8.0 through to v2.8.5 (inclusive),
v2.9.0 through to v2.9.1 (inclusive).
Unaffected (fixed) versions of dCache are
---------------------------------
v2.2.0 and later v2.2 releases,
v2.6.27 and later v2.6 releases,
v2.7.9 and later v2.7 releases,
v2.8.6 and later v2.8 releases,
v2.9.2 and later v2.9 releases.
all subsequent feature releases.
Note that v2.6.28 in UMD-3.8.0 is the latest version in the EGI UMD and this has
the vulnerability resolved.
Mitigation
==========
No sites were found to be configured in a vulnerable manner, so we do not include
mitigation information.
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 3 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
Not vulnerable version of dcache in UMD-3.8.0
http://repository.egi.eu/2014/07/24/release-umd-3-8-0/
Sites installing from EMI should see using
http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/
A fixed version is in EMI 3 update 17.
Sites may also install directly from the dCache site. [R 1]
Recommendations
===============
Sites are recommended to update relevant components in due course.
Credit
======
SVG was alerted to this vulnerability by Patrick Fuhrmann from dCache
References
==========
[R 1] http://www.dcache.org/index.shtml
Timeline
========
Yyyy-mm-dd
2014-05-14 Vulnerability reported by Patrick Fuhrmann
2014-05-14 Acknowledgement from the EGI SVG to the reporter
2014-05-14 Fixed version of the software available on the dCache site
2014-05-16 Confirmed that due to the manner in which sites in EGI are configured
no sites are currently known to be vulnerable.
2014-05-16 Assessment by the EGI Software Vulnerability Group reported to the software
providers
2014-07-24 Updated packages available in the EGI UMD.
2014-08-05 Public disclosure