Difference between revisions of "SVG:Advisory-SVG-2015-9323"

From EGIWiki
Jump to: navigation, search
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
<pre>
 
<pre>
 
+
Title:      **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
** WHITE information - Unlimited distribution allowed                      ** 
 
 
 
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
 
 
 
EGI SVG   ADVISORY [EGI-SVG-2015-9323]  
 
 
 
Title:      EGI SVG Advisory "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
 
  
 
Date:        2015-08-24
 
Date:        2015-08-24
Updated:     
+
Updated:    2015-09-10, 2017-08-22
  
 +
Affected software and risk
 +
==========================
  
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
+
MODERATE risk vulnerability concerning dCache
  
Introduction
+
Package :dCache
============
 
  
dCache [R 1] is a data storage and retrieval system.
+
The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp
 +
door", and in the "kerberos ftp door" of dCache has been re-introduced.
 +
No other component is affected.
  
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected.
 
  
A fixed binary version is available on the dCache site. [R 2]
+
Actions required/recommended
 +
============================
  
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary and sufficient to fix the vulnerability.
+
Sites running dCache should check whether they are running a vulnerable version, see
 +
"Affected software details" below. If they are running a vulnerable version update in due course.  
  
The fix will be made available in the EGI UMD at a later date.
+
Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly
 +
from the dCache site if they wish.
  
 +
**UPDATE 2017-08-11** fixed version is in the UMD 4
 +
  
Details
+
More information
=======
+
=================
  
Further details will be made available later.
+
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"
 +
of dCache. No other component is affected.
  
 +
Fixed versions are available on the dCache site. [R 1]
  
Risk category
+
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary
=============
+
and sufficient to fix the vulnerability.
  
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team
 
  
 +
Affected software details
 +
=========================
  
Affected software
+
FIXED versions of dCache:
=================
 
  
All dCache versions prior to this patch are affected.  
+
  3.0.11 (& later)  note version 3.0.25 is now in UMD-4
 +
  2.16.30 (& later)
 +
  2.15.33 (& later)
 +
  2.14.45 (& later)
  
The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39.
+
VULNERABLE versions of dCache:
  
It was noted by the dCache team that several site still run the unsupported 2.6 dCache. Given these sites currently suffer from a Moderate risk vulnerability, dCache have made an additional release: 2.6.51.
+
  3.0.0 .. 3.0.10
 +
  2.16.0 .. 2.16.29
 +
  2.15.0 .. 2.15.32
 +
  2.14.0 .. 2.14.44
  
  
Line 61: Line 69:
 
Component installation information
 
Component installation information
 
==================================
 
==================================
 
Updates are available on the dCache site [R 2]
 
 
Note that at present the patch is only available from the dCache site.
 
 
  
 
The official repository for the distribution of grid middleware for EGI sites is  
 
The official repository for the distribution of grid middleware for EGI sites is  
Line 71: Line 74:
 
   
 
   
  
Sites using the EGI UMD 3 should see:
+
Sites using the EGI UMD 4 should see:
  
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
+
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
  
 +
This update is in EGI UMD 4.5.0
  
Other Information
 
=================
 
  
To give sites time to upgrade their dCache, the dCache team will not release any details o
+
Updates are also available on the dCache site [R 1]
f the vulnerability at this time.  This includes not making  public the source-code for the
 
fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability.
 
  
During this two week grace period, dCache will make no further releases.
+
Please note the EMI repositories are no longer maintained and may no longer be used.
  
Once the grace-period elapses, all code changes will be pushed into github and dCache will
+
Credit
continue normal bug-fix release cycles.
+
======
  
The SVG hopes that this software can be made available in the UMD before dCache reveals the
+
This vulnerability was reported by Paul Millar of the dCache team.  
change to the source code.  As this is 'Moderate' rather than a more serious vulnerability
 
is it acceptable if the software is not in the UMD before the source is revealed.  
 
  
 +
TLP and URL
 +
===========
  
Recommendations
+
** WHITE information - Unlimited distribution                              ** 
===============
 
  
Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp door.
+
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
  
Sites may wish to update now from the dCache site [R 2], or may wait until the fixed version
+
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
is available in the EGI UMD.  
 
  
  
Credit
 
======
 
  
This vulnerability was reported by Paul Millar of the dCache team.
+
Comments
 +
========
  
 +
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
  
References
+
If you find or become aware of another vulnerability which is relevant to EGI you may
==========
 
  
[R 1] https://www.dcache.org/
+
report it by e-mail to 
  
[R 2] https://www.dcache.org/downloads/1.9/
+
report-vulnerability at egi.eu
 +
 +
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]
  
  
Comments
+
References
========
+
==========
  
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
+
[R 1] https://www.dcache.org/
  
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome.  
+
[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538
  
  
Line 135: Line 134:
 
2015-08-24 Updated packages available from dCache site - binary release only  
 
2015-08-24 Updated packages available from dCache site - binary release only  
 
2015-08-24 Advisory sent to sites
 
2015-08-24 Advisory sent to sites
 +
2015-09-10 Update available in UMD
 +
2015-09-10 Advisory updated.
 +
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has
 +
          been re-introduced and fixed
 +
2017-03-20 dCache team informed some sites using dCache
 +
2017-08-10 Updated package in UMD.
 +
2017-08-22 Advisory updated, sent to sites, and placed on the wiki
 +
 +
 +
 +
On behalf of the EGI SVG,
  
 
</pre>
 
</pre>

Latest revision as of 15:53, 22 August 2017

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9323


Title:       **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]

Date:        2015-08-24
Updated:     2015-09-10, 2017-08-22

Affected software and risk
==========================

MODERATE risk vulnerability concerning dCache

Package :dCache

The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp 
door", and in the "kerberos ftp door" of dCache has been re-introduced.
No other component is affected.


Actions required/recommended
============================

Sites running dCache should check whether they are running a vulnerable version, see 
"Affected software details" below. If they are running a vulnerable version update in due course. 

Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly 
from the dCache site if they wish.

**UPDATE 2017-08-11** fixed version is in the UMD 4 
 

More information
=================

A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" 
of dCache. No other component is affected.

Fixed versions are available on the dCache site. [R 1]

Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary 
and sufficient to fix the vulnerability.


Affected software details
=========================

FIXED versions of dCache:

   3.0.11 (& later)  note version 3.0.25 is now in UMD-4
   2.16.30 (& later)
   2.15.33 (& later)
   2.14.45 (& later)

VULNERABLE versions of dCache:

   3.0.0 .. 3.0.10
   2.16.0 .. 2.16.29
   2.15.0 .. 2.15.32
   2.14.0 .. 2.14.44


Mitigation
==========

N/A 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

This update is in EGI UMD 4.5.0 


Updates are also available on the dCache site [R 1]

Please note the EMI repositories are no longer maintained and may no longer be used.

Credit
======

This vulnerability was reported by Paul Millar of the dCache team. 

TLP and URL
===========

** WHITE information - Unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may 

report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]  


References
==========

[R 1] https://www.dcache.org/

[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538



Timeline  
========
Yyyy-mm-dd

2015-08-18 Vulnerability reported by Paul Millar of the dCache team, 
           stating they had found and fixed vulnerability but not released the patch
2015-08-18 Acknowledgement from the EGI SVG to the reporter
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-24 Updated packages available from dCache site - binary release only 
2015-08-24 Advisory sent to sites
2015-09-10 Update available in UMD
2015-09-10 Advisory updated.
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has 
           been re-introduced and fixed
2017-03-20 dCache team informed some sites using dCache 
2017-08-10 Updated package in UMD.
2017-08-22 Advisory updated, sent to sites, and placed on the wiki



On behalf of the EGI SVG,