Difference between revisions of "SVG:Advisory-SVG-2015-9323"

From EGIWiki
Jump to: navigation, search
(Created page with "{{svg-header}} <pre> This advisory has not been released yet </pre>")
 
 
(5 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
<pre>
 
<pre>
 +
Title:      **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
  
This advisory has not been released yet
+
Date:        2015-08-24
 +
Updated:    2015-09-10, 2017-08-22
 +
 
 +
Affected software and risk
 +
==========================
 +
 
 +
MODERATE risk vulnerability concerning dCache
 +
 
 +
Package :dCache
 +
 
 +
The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp
 +
door", and in the "kerberos ftp door" of dCache has been re-introduced.
 +
No other component is affected.
 +
 
 +
 
 +
Actions required/recommended
 +
============================
 +
 
 +
Sites running dCache should check whether they are running a vulnerable version, see
 +
"Affected software details" below. If they are running a vulnerable version update in due course.
 +
 
 +
Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly
 +
from the dCache site if they wish.
 +
 
 +
**UPDATE 2017-08-11** fixed version is in the UMD 4
 +
 +
 
 +
More information
 +
=================
 +
 
 +
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"
 +
of dCache. No other component is affected.
 +
 
 +
Fixed versions are available on the dCache site. [R 1]
 +
 
 +
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary
 +
and sufficient to fix the vulnerability.
 +
 
 +
 
 +
Affected software details
 +
=========================
 +
 
 +
FIXED versions of dCache:
 +
 
 +
  3.0.11 (& later)  note version 3.0.25 is now in UMD-4
 +
  2.16.30 (& later)
 +
  2.15.33 (& later)
 +
  2.14.45 (& later)
 +
 
 +
VULNERABLE versions of dCache:
 +
 
 +
  3.0.0 .. 3.0.10
 +
  2.16.0 .. 2.16.29
 +
  2.15.0 .. 2.15.32
 +
  2.14.0 .. 2.14.44
 +
 
 +
 
 +
Mitigation
 +
==========
 +
 
 +
N/A
 +
 
 +
 
 +
Component installation information
 +
==================================
 +
 
 +
The official repository for the distribution of grid middleware for EGI sites is
 +
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 +
 +
 
 +
Sites using the EGI UMD 4 should see:
 +
 
 +
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
 +
 
 +
This update is in EGI UMD 4.5.0
 +
 
 +
 
 +
Updates are also available on the dCache site [R 1]
 +
 
 +
Please note the EMI repositories are no longer maintained and may no longer be used.
 +
 
 +
Credit
 +
======
 +
 
 +
This vulnerability was reported by Paul Millar of the dCache team.
 +
 
 +
TLP and URL
 +
===========
 +
 
 +
** WHITE information - Unlimited distribution                              ** 
 +
 
 +
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 +
 
 +
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
 +
 
 +
 
 +
 
 +
Comments
 +
========
 +
 
 +
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 +
 
 +
If you find or become aware of another vulnerability which is relevant to EGI you may
 +
 
 +
report it by e-mail to 
 +
 
 +
report-vulnerability at egi.eu
 +
 +
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2] 
 +
 
 +
 
 +
References
 +
==========
 +
 
 +
[R 1] https://www.dcache.org/
 +
 
 +
[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538
 +
 
 +
 
 +
 
 +
Timeline 
 +
========
 +
Yyyy-mm-dd
 +
 
 +
2015-08-18 Vulnerability reported by Paul Millar of the dCache team,
 +
          stating they had found and fixed vulnerability but not released the patch
 +
2015-08-18 Acknowledgement from the EGI SVG to the reporter
 +
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
 +
2015-08-24 Updated packages available from dCache site - binary release only
 +
2015-08-24 Advisory sent to sites
 +
2015-09-10 Update available in UMD
 +
2015-09-10 Advisory updated.
 +
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has  
 +
          been re-introduced and fixed
 +
2017-03-20 dCache team informed some sites using dCache
 +
2017-08-10 Updated package in UMD.
 +
2017-08-22 Advisory updated, sent to sites, and placed on the wiki
 +
 
 +
 
 +
 
 +
On behalf of the EGI SVG,
  
 
</pre>
 
</pre>

Latest revision as of 15:53, 22 August 2017

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9323


Title:       **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]

Date:        2015-08-24
Updated:     2015-09-10, 2017-08-22

Affected software and risk
==========================

MODERATE risk vulnerability concerning dCache

Package :dCache

The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp 
door", and in the "kerberos ftp door" of dCache has been re-introduced.
No other component is affected.


Actions required/recommended
============================

Sites running dCache should check whether they are running a vulnerable version, see 
"Affected software details" below. If they are running a vulnerable version update in due course. 

Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly 
from the dCache site if they wish.

**UPDATE 2017-08-11** fixed version is in the UMD 4 
 

More information
=================

A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" 
of dCache. No other component is affected.

Fixed versions are available on the dCache site. [R 1]

Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary 
and sufficient to fix the vulnerability.


Affected software details
=========================

FIXED versions of dCache:

   3.0.11 (& later)  note version 3.0.25 is now in UMD-4
   2.16.30 (& later)
   2.15.33 (& later)
   2.14.45 (& later)

VULNERABLE versions of dCache:

   3.0.0 .. 3.0.10
   2.16.0 .. 2.16.29
   2.15.0 .. 2.15.32
   2.14.0 .. 2.14.44


Mitigation
==========

N/A 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

This update is in EGI UMD 4.5.0 


Updates are also available on the dCache site [R 1]

Please note the EMI repositories are no longer maintained and may no longer be used.

Credit
======

This vulnerability was reported by Paul Millar of the dCache team. 

TLP and URL
===========

** WHITE information - Unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may 

report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]  


References
==========

[R 1] https://www.dcache.org/

[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538



Timeline  
========
Yyyy-mm-dd

2015-08-18 Vulnerability reported by Paul Millar of the dCache team, 
           stating they had found and fixed vulnerability but not released the patch
2015-08-18 Acknowledgement from the EGI SVG to the reporter
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-24 Updated packages available from dCache site - binary release only 
2015-08-24 Advisory sent to sites
2015-09-10 Update available in UMD
2015-09-10 Advisory updated.
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has 
           been re-introduced and fixed
2017-03-20 dCache team informed some sites using dCache 
2017-08-10 Updated package in UMD.
2017-08-22 Advisory updated, sent to sites, and placed on the wiki



On behalf of the EGI SVG,