Difference between revisions of "SVG:Advisory-SVG-2015-9323"
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
<pre> | <pre> | ||
** WHITE information - Unlimited distribution allowed ** | ** WHITE information - Unlimited distribution allowed ** | ||
Line 9: | Line 11: | ||
EGI SVG ADVISORY [EGI-SVG-2015-9323] | EGI SVG ADVISORY [EGI-SVG-2015-9323] | ||
Title: EGI SVG Advisory "Moderate" RISK - dCache [EGI-SVG-2015-9323] | Title: **UPDATE** EGI SVG Advisory "Moderate" RISK - dCache [EGI-SVG-2015-9323] | ||
Date: 2015-08-24 | Date: 2015-08-24 | ||
Updated: | Updated: 2015-09-10 | ||
Line 22: | Line 24: | ||
dCache [R 1] is a data storage and retrieval system. | dCache [R 1] is a data storage and retrieval system. | ||
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected. | A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" | ||
of dCache. No other component is affected. | |||
A fixed binary version is available on the dCache site. [R 2] | A fixed binary version is available on the dCache site. [R 2] | ||
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is | Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is | ||
The fix | necessary and sufficient to fix the vulnerability. | ||
**UPDATE** The fix is now also available in the EGI UMD as well as the EMI repository. | |||
Line 34: | Line 40: | ||
======= | ======= | ||
See the dCache page. | |||
Line 50: | Line 56: | ||
The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39. | The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39. | ||
It was noted by the dCache team that several site still run the unsupported 2.6 dCache. Given these sites currently suffer from a Moderate risk vulnerability, dCache have made an additional release: 2.6.51. | It was noted by the dCache team that several site still run the unsupported 2.6 | ||
dCache. Given these sites currently suffer from a Moderate risk vulnerability, dCache | |||
have made an additional release: 2.6.51. | |||
Line 69: | Line 79: | ||
The official repository for the distribution of grid middleware for EGI sites is | The official repository for the distribution of grid middleware for EGI sites is | ||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | ||
The update is available in the EMI-3 repository:-- | |||
http://www.eu-emi.eu/releases/emi-3-monte- | |||
bianco/updates/-/asset_publisher/5Na8/content/update-28-26-08-2015-v-3-16-1-1 | |||
Sites using the EGI UMD 3 should see: | Sites using the EGI UMD 3 should see: | ||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | ||
**Update** | |||
http://repository.egi.eu/2015/09/10/release-umd-3-13-3/ | |||
The version of dCache which is in this release of the EGI UMD is 2.10.39. | |||
Line 79: | Line 105: | ||
================= | ================= | ||
To give sites time to upgrade their dCache, the dCache team will not release any details | Previously: | ||
fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability. | To give sites time to upgrade their dCache, the dCache team will not release any | ||
details of the vulnerability at this time. This includes not making public the | |||
source-code for the fix for a 'grace period' of two weeks, as doing so would also | |||
reveal information on the vulnerability. | |||
During this two week grace period, dCache will make no further releases. | During this two week grace period, dCache will make no further releases. | ||
Once the grace-period elapses, all code changes will be pushed into github and dCache will | Once the grace-period elapses, all code changes will be pushed into github and dCache | ||
continue normal bug-fix release cycles. | |||
will continue normal bug-fix release cycles. | |||
The SVG hopes that this software can be made available in the UMD before dCache | |||
reveals the change to the source code. As this is 'Moderate' rather than a more | |||
serious vulnerability is it acceptable if the software is not in the UMD before the | |||
source is revealed. | |||
The | **Update**: The fix is now in the EGI UMD. | ||
Line 96: | Line 135: | ||
=============== | =============== | ||
Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp door. | Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp | ||
door. | |||
**Update** | |||
Sites may wish to update now from the dCache site [R 2], or | Sites may wish to update now from the dCache site [R 2], or from the EGI UMD. | ||
Line 121: | Line 163: | ||
Comments or questions should be sent to svg-rat at mailman.egi.eu | Comments or questions should be sent to svg-rat at mailman.egi.eu | ||
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. | We are currently revising the vulnerability issue handling procedure so suggestions | ||
and comments are welcome. | |||
Line 135: | Line 179: | ||
2015-08-24 Updated packages available from dCache site - binary release only | 2015-08-24 Updated packages available from dCache site - binary release only | ||
2015-08-24 Advisory sent to sites | 2015-08-24 Advisory sent to sites | ||
2015-09-10 Update available in UMD | |||
2015-09-10 Advisory updated. | |||
On behalf of the EGI SVG, | |||
</pre> | </pre> |
Revision as of 16:25, 10 September 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-9323
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-9323] Title: **UPDATE** EGI SVG Advisory "Moderate" RISK - dCache [EGI-SVG-2015-9323] Date: 2015-08-24 Updated: 2015-09-10 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323 Introduction ============ dCache [R 1] is a data storage and retrieval system. A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected. A fixed binary version is available on the dCache site. [R 2] Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary and sufficient to fix the vulnerability. **UPDATE** The fix is now also available in the EGI UMD as well as the EMI repository. Details ======= See the dCache page. Risk category ============= This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team Affected software ================= All dCache versions prior to this patch are affected. The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39. It was noted by the dCache team that several site still run the unsupported 2.6 dCache. Given these sites currently suffer from a Moderate risk vulnerability, dCache have made an additional release: 2.6.51. Mitigation ========== N/A Component installation information ================================== Updates are available on the dCache site [R 2] Note that at present the patch is only available from the dCache site. The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). The update is available in the EMI-3 repository:-- http://www.eu-emi.eu/releases/emi-3-monte- bianco/updates/-/asset_publisher/5Na8/content/update-28-26-08-2015-v-3-16-1-1 Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ **Update** http://repository.egi.eu/2015/09/10/release-umd-3-13-3/ The version of dCache which is in this release of the EGI UMD is 2.10.39. Other Information ================= Previously: To give sites time to upgrade their dCache, the dCache team will not release any details of the vulnerability at this time. This includes not making public the source-code for the fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability. During this two week grace period, dCache will make no further releases. Once the grace-period elapses, all code changes will be pushed into github and dCache will continue normal bug-fix release cycles. The SVG hopes that this software can be made available in the UMD before dCache reveals the change to the source code. As this is 'Moderate' rather than a more serious vulnerability is it acceptable if the software is not in the UMD before the source is revealed. **Update**: The fix is now in the EGI UMD. Recommendations =============== Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp door. **Update** Sites may wish to update now from the dCache site [R 2], or from the EGI UMD. Credit ====== This vulnerability was reported by Paul Millar of the dCache team. References ========== [R 1] https://www.dcache.org/ [R 2] https://www.dcache.org/downloads/1.9/ Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-08-18 Vulnerability reported by Paul Millar of the dCache team, stating they had found and fixed vulnerability but not released the patch 2015-08-18 Acknowledgement from the EGI SVG to the reporter 2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-08-24 Updated packages available from dCache site - binary release only 2015-08-24 Advisory sent to sites 2015-09-10 Update available in UMD 2015-09-10 Advisory updated. On behalf of the EGI SVG,