Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Advisory-SVG-2015-9323"

From EGIWiki
Jump to navigation Jump to search
Line 2: Line 2:


<pre>
<pre>
Title:      **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]


Date:        2015-08-24
Updated:    2015-09-10, 2017-08-22


Affected software and risk
==========================


** WHITE information - Unlimited distribution allowed                      ** 
MODERATE risk vulnerability concerning dCache


** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
Package :dCache


EGI SVG  ADVISORY [EGI-SVG-2015-9323]
The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp
door", and in the "kerberos ftp door" of dCache has been re-introduced.
No other component is affected.


Title:      **UPDATE** EGI SVG Advisory "Moderate" RISK - dCache  [EGI-SVG-2015-9323]


Date:        2015-08-24
Actions required/recommended
Updated:    2015-09-10
============================


Sites running dCache should check whether they are running a vulnerable version, see
"Affected software details" below. If they are running a vulnerable version update in due course.


URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323
Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly
from the dCache site if they wish.


Introduction
**UPDATE 2017-08-11** fixed version is in the UMD 4.0.
============


dCache [R 1] is a data storage and retrieval system. 
More information
=================


A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"  
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door"  
of dCache. No other component is affected.
of dCache. No other component is affected.


A fixed binary version is available on the dCache site. [R 2]
Fixed versions are available on the dCache site. [R 1]
 
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is
 
necessary and sufficient to fix the vulnerability.
 
**UPDATE** The fix is now also available in the EGI UMD as well as the EMI repository.
 
 
Details
=======
 
See the dCache page.  [R 3]
 
 
Risk category
=============
 
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team


Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary
and sufficient to fix the vulnerability.


Affected software
=================


All dCache versions prior to this patch are affected.
Affected software details
=========================


The releases which fix this issue are are: 2.13.7, 2.12.19, 2.11.30 and 2.10.39.
FIXED versions of dCache:


It was noted by the dCache team that several site still run the unsupported 2.6
  3.0.11 (& later)  note version 3.0.25 is now in UMD-4
  2.16.30 (& later)
  2.15.33 (& later)
  2.14.45 (& later)


dCache.  Given these sites currently suffer from a Moderate risk vulnerability, dCache
VULNERABLE versions of dCache:


have made an additional release: 2.6.51.
  3.0.0 .. 3.0.10
  2.16.0 .. 2.16.29
  2.15.0 .. 2.15.32
  2.14.0 .. 2.14.44




Line 71: Line 69:
Component installation information
Component installation information
==================================
==================================
Updates are available on the dCache site [R 2]
Note that at present the patch is only available from the dCache site.


The official repository for the distribution of grid middleware for EGI sites is  
The official repository for the distribution of grid middleware for EGI sites is  
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).


Sites using the EGI UMD 4 should see:


The update is available in the EMI-3 repository:--  
http://repository.egi.eu/category/umd_releases/distribution/umd-4/


http://www.eu-emi.eu/releases/emi-3-monte-
This update is in EGI UMD 4.5.0


bianco/updates/-/asset_publisher/5Na8/content/update-28-26-08-2015-v-3-16-1-1


Updates are also available on the dCache site [R 1]


Sites using the EGI UMD 3 should see:


http://repository.egi.eu/category/umd_releases/distribution/umd-3/
Credit
======


This vulnerability was reported by Paul Millar of the dCache team.


**Update**
TLP and URL
===========


http://repository.egi.eu/2015/09/10/release-umd-3-13-3/
** WHITE information - Unlimited distribution                              ** 


The version of dCache which is in this release of the EGI UMD is 2.10.39.
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323






Other Information
Comments
=================
========


Previously:
Comments or questions should be sent to svg-rat  at  mailman.egi.eu


To give sites time to upgrade their dCache, the dCache team will not release any
If you find or become aware of another vulnerability which is relevant to EGI you may


details of the vulnerability at this time. This includes not making  public the
report it by e-mail to  


source-code for the fix for a 'grace period' of two weeks, as doing so would also
report-vulnerability at egi.eu
 
   
reveal information on the vulnerability.
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]
 
During this two week grace period, dCache will make no further releases.
 
Once the grace-period elapses, all code changes will be pushed into github and dCache
 
will continue normal bug-fix release cycles.
 
The SVG hopes that this software can be made available in the UMD before dCache
 
reveals the change to the source code. As this is 'Moderate' rather than a more
 
serious vulnerability is it acceptable if the software is not in the UMD before the
 
source is revealed.
 
**Update**:  The fix is now in the EGI UMD.
 
 
Recommendations
===============
 
Sites are recommended to update nodes hosting either a gridftp door or kerberos-ftp
 
door.
 
**Update**
 
Sites may wish to update now from the dCache site [R 2], or from the EGI UMD.
 
 
Credit
======
 
This vulnerability was reported by Paul Millar of the dCache team.




Line 155: Line 119:
[R 1] https://www.dcache.org/
[R 1] https://www.dcache.org/


[R 2] https://www.dcache.org/downloads/1.9/
[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538
 
[R 3] https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml
 
 
Comments
========
 
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
 
We are currently revising the vulnerability issue handling procedure so suggestions
 
and comments are welcome.




Line 183: Line 135:
2015-09-10 Update available in UMD
2015-09-10 Update available in UMD
2015-09-10 Advisory updated.
2015-09-10 Advisory updated.
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has
          been re-introduced and fixed
2017-03-20 dCache team informed some sites using dCache
2017-08-10 Updated package in UMD.
2017-08-22 Advisory updated, sent to sites, and placed on the wiki






On behalf of the EGI SVG,
On behalf of the EGI SVG,


</pre>
</pre>

Revision as of 14:08, 22 August 2017

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-9323


Title:       **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache  [EGI-SVG-2015-9323]

Date:        2015-08-24
Updated:     2015-09-10, 2017-08-22

Affected software and risk
==========================

MODERATE risk vulnerability concerning dCache

Package :dCache

The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp 
door", and in the "kerberos ftp door" of dCache has been re-introduced.
No other component is affected.


Actions required/recommended
============================

Sites running dCache should check whether they are running a vulnerable version, see 
"Affected software details" below. If they are running a vulnerable version update in due course. 

Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly 
from the dCache site if they wish.

**UPDATE 2017-08-11** fixed version is in the UMD 4.0. 
 

More information
=================

A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" 
of dCache. No other component is affected.

Fixed versions are available on the dCache site. [R 1]

Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary 
and sufficient to fix the vulnerability.


Affected software details
=========================

FIXED versions of dCache:

   3.0.11 (& later)  note version 3.0.25 is now in UMD-4
   2.16.30 (& later)
   2.15.33 (& later)
   2.14.45 (& later)

VULNERABLE versions of dCache:

   3.0.0 .. 3.0.10
   2.16.0 .. 2.16.29
   2.15.0 .. 2.15.32
   2.14.0 .. 2.14.44


Mitigation
==========

N/A 


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/

This update is in EGI UMD 4.5.0 


Updates are also available on the dCache site [R 1]


Credit
======

This vulnerability was reported by Paul Millar of the dCache team. 

TLP and URL
===========

** WHITE information - Unlimited distribution                               **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may 

report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2]  


References
==========

[R 1] https://www.dcache.org/

[R 2] https://documents.egi.eu/public/ShowDocument?docid=2538



Timeline  
========
Yyyy-mm-dd

2015-08-18 Vulnerability reported by Paul Millar of the dCache team, 
           stating they had found and fixed vulnerability but not released the patch
2015-08-18 Acknowledgement from the EGI SVG to the reporter
2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-24 Updated packages available from dCache site - binary release only 
2015-08-24 Advisory sent to sites
2015-09-10 Update available in UMD
2015-09-10 Advisory updated.
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has 
           been re-introduced and fixed
2017-03-20 dCache team informed some sites using dCache 
2017-08-10 Updated package in UMD.
2017-08-22 Advisory updated, sent to sites, and placed on the wiki



On behalf of the EGI SVG,