Difference between revisions of "SVG:Advisory-SVG-2015-9323"

From EGIWiki
Jump to: navigation, search
(Created page with "{{svg-header}} <pre> This advisory has not been released yet </pre>")
 
Line 3: Line 3:
 
<pre>
 
<pre>
  
This advisory has not been released yet
+
** WHITE information - Unlimited distribution allowed                      ** 
 +
 
 +
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 +
 
 +
EGI SVG  ADVISORY [EGI-SVG-2015-9323]
 +
 
 +
Title:      EGI SVG Advisory "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
 +
 
 +
Date:        2015-08-24
 +
Updated:   
 +
 
 +
 
 +
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
 +
 
 +
Introduction
 +
============
 +
 
 +
dCache [R 1] is a data storage and retrieval system. 
 +
 
 +
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected.
 +
 
 +
A fixed binary version is available on the dCache site. [R 2]
 +
 
 +
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary and sufficient to fix the vulnerability.
 +
 
 +
The fix will be made available in the EGI UMD at a later date.
 +
 
 +
 
 +
Details
 +
=======
 +
 
 +
Further details will be made available later. 
 +
 
 +
 
 +
Risk category
 +
=============
 +
 
 +
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team
 +
 
 +
 
 +
Affected software
 +
=================
 +
 
 +
All dCache versions prior to this patch are affected.
 +
 
 +
The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39.
 +
 
 +
It was noted by the dCache team that several site still run the unsupported 2.6 dCache.  Given these sites currently suffer from a Moderate risk vulnerability, dCache have made an additional release: 2.6.51.
 +
 
 +
 
 +
Mitigation
 +
==========
 +
 
 +
N/A
 +
 
 +
 
 +
Component installation information
 +
==================================
 +
 
 +
Updates are available on the dCache site [R 2]
 +
 
 +
Note that at present the patch is only available from the dCache site.
 +
 
 +
 
 +
The official repository for the distribution of grid middleware for EGI sites is
 +
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 +
 +
 
 +
Sites using the EGI UMD 3 should see:
 +
 
 +
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
 +
 
 +
 
 +
Other Information
 +
=================
 +
 
 +
To give sites time to upgrade their dCache, the dCache team will not release any details o
 +
f the vulnerability at this time.  This includes not making  public the source-code for the
 +
fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability.
 +
 
 +
During this two week grace period, dCache will make no further releases.
 +
 
 +
Once the grace-period elapses, all code changes will be pushed into github and dCache will
 +
continue normal bug-fix release cycles.
 +
 
 +
The SVG hopes that this software can be made available in the UMD before dCache reveals the
 +
change to the source code.  As this is 'Moderate' rather than a more serious vulnerability
 +
is it acceptable if the software is not in the UMD before the source is revealed.
 +
 
 +
 
 +
Recommendations
 +
===============
 +
 
 +
Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp door.
 +
 
 +
Sites may wish to update now from the dCache site [R 2], or may wait until the fixed version
 +
is available in the EGI UMD.
 +
 
 +
 
 +
Credit
 +
======
 +
 
 +
This vulnerability was reported by Paul Millar of the dCache team.
 +
 
 +
 
 +
References
 +
==========
 +
 
 +
[R 1] https://www.dcache.org/
 +
 
 +
[R 2] https://www.dcache.org/downloads/1.9/
 +
 
 +
 
 +
Comments
 +
========
 +
 
 +
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 +
 
 +
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome.
 +
 
 +
 
 +
 
 +
Timeline 
 +
========
 +
Yyyy-mm-dd
 +
 
 +
2015-08-18 Vulnerability reported by Paul Millar of the dCache team,
 +
          stating they had found and fixed vulnerability but not released the patch
 +
2015-08-18 Acknowledgement from the EGI SVG to the reporter
 +
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
 +
2015-08-24 Updated packages available from dCache site - binary release only
 +
2015-08-24 Advisory sent to sites
  
 
</pre>
 
</pre>

Revision as of 11:13, 24 August 2015

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9323



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG   ADVISORY [EGI-SVG-2015-9323] 

Title:       EGI SVG Advisory "Moderate" RISK - dCache  [EGI-SVG-2015-9323]

Date:        2015-08-24
Updated:     


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323

Introduction
============

dCache [R 1] is a data storage and retrieval system.  

A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected.

A fixed binary version is available on the dCache site. [R 2]

Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary and sufficient to fix the vulnerability.

The fix will be made available in the EGI UMD at a later date.


Details
=======

Further details will be made available later.  


Risk category
=============

This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team


Affected software
=================

All dCache versions prior to this patch are affected. 

The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39.

It was noted by the dCache team that several site still run the unsupported 2.6 dCache.  Given these sites currently suffer from a Moderate risk vulnerability, dCache have made an additional release: 2.6.51.


Mitigation
==========

N/A 


Component installation information
==================================

Updates are available on the dCache site [R 2]

Note that at present the patch is only available from the dCache site. 


The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/


Other Information
=================

To give sites time to upgrade their dCache, the dCache team will not release any details o
f the vulnerability at this time.  This includes not making  public the source-code for the 
fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability.

During this two week grace period, dCache will make no further releases.

Once the grace-period elapses, all code changes will be pushed into github and dCache will 
continue normal bug-fix release cycles.

The SVG hopes that this software can be made available in the UMD before dCache reveals the 
change to the source code.  As this is 'Moderate' rather than a more serious vulnerability 
is it acceptable if the software is not in the UMD before the source is revealed. 


Recommendations
===============

Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp door.

Sites may wish to update now from the dCache site [R 2], or may wait until the fixed version 
is available in the EGI UMD. 


Credit
======

This vulnerability was reported by Paul Millar of the dCache team. 


References
==========

[R 1] https://www.dcache.org/

[R 2] https://www.dcache.org/downloads/1.9/


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-08-18 Vulnerability reported by Paul Millar of the dCache team, 
           stating they had found and fixed vulnerability but not released the patch
2015-08-18 Acknowledgement from the EGI SVG to the reporter
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-24 Updated packages available from dCache site - binary release only 
2015-08-24 Advisory sent to sites