Difference between revisions of "SVG:Advisory-SVG-2015-9323"

From EGIWiki
Jump to: navigation, search
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
<pre>
 
<pre>
 +
Title:      **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
  
 +
Date:        2015-08-24
 +
Updated:    2015-09-10, 2017-08-22
  
 +
Affected software and risk
 +
==========================
  
** WHITE information - Unlimited distribution allowed                      ** 
+
MODERATE risk vulnerability concerning dCache
  
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
+
Package :dCache
  
EGI SVG  ADVISORY [EGI-SVG-2015-9323]
+
The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp
 +
door", and in the "kerberos ftp door" of dCache has been re-introduced.
 +
No other component is affected.
  
Title:      **UPDATE** EGI SVG Advisory "Moderate" RISK - dCache  [EGI-SVG-2015-9323]
 
  
Date:        2015-08-24
+
Actions required/recommended
Updated:    2015-09-10
+
============================
  
 +
Sites running dCache should check whether they are running a vulnerable version, see
 +
"Affected software details" below. If they are running a vulnerable version update in due course.
  
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
+
Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly
 +
from the dCache site if they wish.
  
Introduction
+
**UPDATE 2017-08-11** fixed version is in the UMD 4
============
+
  
dCache [R 1] is a data storage and retrieval system. 
+
More information
 +
=================
  
 
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"  
 
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"  
 
 
of dCache. No other component is affected.
 
of dCache. No other component is affected.
  
A fixed binary version is available on the dCache site. [R 2]
+
Fixed versions are available on the dCache site. [R 1]
 
 
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is
 
  
necessary and sufficient to fix the vulnerability.
+
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary  
 +
and sufficient to fix the vulnerability.
  
**UPDATE** The fix is now also available in the EGI UMD as well as the EMI repository.
 
  
 +
Affected software details
 +
=========================
  
Details
+
FIXED versions of dCache:
=======
 
  
See the dCache page.  
+
  3.0.11 (& later)  note version 3.0.25 is now in UMD-4
 +
  2.16.30 (& later)
 +
  2.15.33 (& later)
 +
  2.14.45 (& later)
  
 +
VULNERABLE versions of dCache:
  
Risk category
+
  3.0.0 .. 3.0.10
=============
+
  2.16.0 .. 2.16.29
 
+
  2.15.0 .. 2.15.32
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team
+
  2.14.0 .. 2.14.44
 
 
 
 
Affected software
 
=================
 
 
 
All dCache versions prior to this patch are affected.  
 
 
 
The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39.
 
 
 
It was noted by the dCache team that several site still run the unsupported 2.6
 
 
 
dCache. Given these sites currently suffer from a Moderate risk vulnerability, dCache
 
 
 
have made an additional release: 2.6.51.
 
  
  
Line 71: Line 69:
 
Component installation information
 
Component installation information
 
==================================
 
==================================
 
Updates are available on the dCache site [R 2]
 
 
Note that at present the patch is only available from the dCache site.
 
 
  
 
The official repository for the distribution of grid middleware for EGI sites is  
 
The official repository for the distribution of grid middleware for EGI sites is  
 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 +
  
 +
Sites using the EGI UMD 4 should see:
  
The update is available in the EMI-3 repository:--  
+
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
  
http://www.eu-emi.eu/releases/emi-3-monte-
+
This update is in EGI UMD 4.5.0
  
bianco/updates/-/asset_publisher/5Na8/content/update-28-26-08-2015-v-3-16-1-1
 
  
 +
Updates are also available on the dCache site [R 1]
  
Sites using the EGI UMD 3 should see:
+
Please note the EMI repositories are no longer maintained and may no longer be used.
  
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
+
Credit
 +
======
  
 +
This vulnerability was reported by Paul Millar of the dCache team.
  
**Update**
+
TLP and URL
 +
===========
  
http://repository.egi.eu/2015/09/10/release-umd-3-13-3/
+
** WHITE information - Unlimited distribution                              ** 
  
The version of dCache which is in this release of the EGI UMD is 2.10.39.
+
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
  
 +
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
  
  
  
Other Information
+
Comments
=================
+
========
  
Previously:
+
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 
 
To give sites time to upgrade their dCache, the dCache team will not release any
 
 
 
details of the vulnerability at this time. This includes not making  public the
 
 
 
source-code for the fix for a 'grace period' of two weeks, as doing so would also
 
 
 
reveal information on the vulnerability.
 
 
 
During this two week grace period, dCache will make no further releases.
 
 
 
Once the grace-period elapses, all code changes will be pushed into github and dCache
 
 
 
will continue normal bug-fix release cycles.
 
 
 
The SVG hopes that this software can be made available in the UMD before dCache
 
  
reveals the change to the source code.  As this is 'Moderate' rather than a more
+
If you find or become aware of another vulnerability which is relevant to EGI you may
  
serious vulnerability is it acceptable if the software is not in the UMD before the
+
report it by e-mail to 
  
source is revealed.  
+
report-vulnerability at egi.eu
 
+
**Update**:  The fix is now in the EGI UMD.
+
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]
 
 
 
 
Recommendations
 
===============
 
 
 
Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp
 
 
 
door.
 
 
 
**Update**
 
 
 
Sites may wish to update now from the dCache site [R 2], or from the EGI UMD.
 
 
 
 
 
Credit
 
======
 
 
 
This vulnerability was reported by Paul Millar of the dCache team.
 
  
  
Line 155: Line 120:
 
[R 1] https://www.dcache.org/
 
[R 1] https://www.dcache.org/
  
[R 2] https://www.dcache.org/downloads/1.9/
+
[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538
 
 
 
 
Comments
 
========
 
 
 
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 
 
 
We are currently revising the vulnerability issue handling procedure so suggestions
 
 
 
and comments are welcome.
 
  
  
Line 181: Line 136:
 
2015-09-10 Update available in UMD
 
2015-09-10 Update available in UMD
 
2015-09-10 Advisory updated.
 
2015-09-10 Advisory updated.
 +
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has
 +
          been re-introduced and fixed
 +
2017-03-20 dCache team informed some sites using dCache
 +
2017-08-10 Updated package in UMD.
 +
2017-08-22 Advisory updated, sent to sites, and placed on the wiki
  
  
  
 
On behalf of the EGI SVG,
 
On behalf of the EGI SVG,
 
  
 
</pre>
 
</pre>

Latest revision as of 15:53, 22 August 2017

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9323


Title:       **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]

Date:        2015-08-24
Updated:     2015-09-10, 2017-08-22

Affected software and risk
==========================

MODERATE risk vulnerability concerning dCache

Package :dCache

The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp 
door", and in the "kerberos ftp door" of dCache has been re-introduced.
No other component is affected.


Actions required/recommended
============================

Sites running dCache should check whether they are running a vulnerable version, see 
"Affected software details" below. If they are running a vulnerable version update in due course. 

Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly 
from the dCache site if they wish.

**UPDATE 2017-08-11** fixed version is in the UMD 4 
 

More information
=================

A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" 
of dCache. No other component is affected.

Fixed versions are available on the dCache site. [R 1]

Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary 
and sufficient to fix the vulnerability.


Affected software details
=========================

FIXED versions of dCache:

   3.0.11 (& later)  note version 3.0.25 is now in UMD-4
   2.16.30 (& later)
   2.15.33 (& later)
   2.14.45 (& later)

VULNERABLE versions of dCache:

   3.0.0 .. 3.0.10
   2.16.0 .. 2.16.29
   2.15.0 .. 2.15.32
   2.14.0 .. 2.14.44


Mitigation
==========

N/A 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

This update is in EGI UMD 4.5.0 


Updates are also available on the dCache site [R 1]

Please note the EMI repositories are no longer maintained and may no longer be used.

Credit
======

This vulnerability was reported by Paul Millar of the dCache team. 

TLP and URL
===========

** WHITE information - Unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may 

report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]  


References
==========

[R 1] https://www.dcache.org/

[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538



Timeline  
========
Yyyy-mm-dd

2015-08-18 Vulnerability reported by Paul Millar of the dCache team, 
           stating they had found and fixed vulnerability but not released the patch
2015-08-18 Acknowledgement from the EGI SVG to the reporter
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-24 Updated packages available from dCache site - binary release only 
2015-08-24 Advisory sent to sites
2015-09-10 Update available in UMD
2015-09-10 Advisory updated.
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has 
           been re-introduced and fixed
2017-03-20 dCache team informed some sites using dCache 
2017-08-10 Updated package in UMD.
2017-08-22 Advisory updated, sent to sites, and placed on the wiki



On behalf of the EGI SVG,