Difference between revisions of "SVG:Advisory-SVG-2015-8580"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> This advisory has not been released yet. </pre>") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
This | |||
** WHITE information - Unlimited distribution allowed ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2014-8580] | |||
Title: EGI SVG Advisory 'High' Risk - Dirac does not check CRLs [EGI-SVG-2015-8585] | |||
Date: 2015-09-29 | |||
Updated: 2015-10-13 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8580 | |||
Introduction | |||
============ | |||
A vulnerability has been found where Dirac does not check Certificate Revocation Lists (CRLs) | |||
when making its SSL connections. | |||
This has been fixed in the current production version of Dirac. | |||
Details | |||
======= | |||
In the worst case scenario this may allow a user or someone with a stolen certificate to submit | |||
jobs even after the certificate has been revoked in cases where gLexec is not being used. | |||
Risk category | |||
============= | |||
This issue has been assessed as 'High' Risk by the EGI SVG Risk Assessment Team. | |||
Affected software | |||
================= | |||
Dirac versions prior to v6r14 | |||
This vulnerability is fixed in Dirac v6r14 | |||
Mitigation | |||
========== | |||
N/A | |||
Component installation information | |||
================================== | |||
See [R 1] | |||
Recommendations | |||
=============== | |||
Sites are recommended to update relevant components as soon as possible. | |||
Credit | |||
====== | |||
This vulnerability was reported by Simon Fayer from Imperial College, London. | |||
References | |||
========== | |||
[R 1] https://github.com/DIRACGrid/DIRAC/wiki | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2015-05-05 Vulnerability reported by Simon Fayer from SVG | |||
2015-05-05 Software providers responded and involved in investigation | |||
2015-05-12 Assessment by the EGI Software Vulnerability Group reported to the software providers | |||
2015-09-28 Updated packages available | |||
2015-09-29 Advisory sent to sites | |||
2015-10-13 Advisory placed on wiki. | |||
</pre> | </pre> |
Latest revision as of 11:51, 13 October 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-8580
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2014-8580] Title: EGI SVG Advisory 'High' Risk - Dirac does not check CRLs [EGI-SVG-2015-8585] Date: 2015-09-29 Updated: 2015-10-13 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8580 Introduction ============ A vulnerability has been found where Dirac does not check Certificate Revocation Lists (CRLs) when making its SSL connections. This has been fixed in the current production version of Dirac. Details ======= In the worst case scenario this may allow a user or someone with a stolen certificate to submit jobs even after the certificate has been revoked in cases where gLexec is not being used. Risk category ============= This issue has been assessed as 'High' Risk by the EGI SVG Risk Assessment Team. Affected software ================= Dirac versions prior to v6r14 This vulnerability is fixed in Dirac v6r14 Mitigation ========== N/A Component installation information ================================== See [R 1] Recommendations =============== Sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. References ========== [R 1] https://github.com/DIRACGrid/DIRAC/wiki Timeline ======== Yyyy-mm-dd 2015-05-05 Vulnerability reported by Simon Fayer from SVG 2015-05-05 Software providers responded and involved in investigation 2015-05-12 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-09-28 Updated packages available 2015-09-29 Advisory sent to sites 2015-10-13 Advisory placed on wiki.