Difference between revisions of "SVG:Advisory-SVG-2015-9323"
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
<pre> | <pre> | ||
Title: **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache [EGI-SVG-2015-9323] | |||
Date: 2015-08-24 | |||
Updated: 2015-09-10, 2017-08-22 | |||
Affected software and risk | |||
========================== | |||
MODERATE risk vulnerability concerning dCache | |||
Package :dCache | |||
The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp | |||
door", and in the "kerberos ftp door" of dCache has been re-introduced. | |||
No other component is affected. | |||
Actions required/recommended | |||
============================ | |||
Sites running dCache should check whether they are running a vulnerable version, see | |||
"Affected software details" below. If they are running a vulnerable version update in due course. | |||
Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly | |||
from the dCache site if they wish. | |||
**UPDATE 2017-08-11** fixed version is in the UMD 4.0. | |||
More information | |||
================= | |||
A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" | A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" | ||
of dCache. No other component is affected. | of dCache. No other component is affected. | ||
Fixed versions are available on the dCache site. [R 1] | |||
Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary | |||
and sufficient to fix the vulnerability. | |||
Affected software details | |||
========================= | |||
FIXED versions of dCache: | |||
3.0.11 (& later) note version 3.0.25 is now in UMD-4 | |||
2.16.30 (& later) | |||
2.15.33 (& later) | |||
2.14.45 (& later) | |||
dCache | VULNERABLE versions of dCache: | ||
3.0.0 .. 3.0.10 | |||
2.16.0 .. 2.16.29 | |||
2.15.0 .. 2.15.32 | |||
2.14.0 .. 2.14.44 | |||
Line 71: | Line 69: | ||
Component installation information | Component installation information | ||
================================== | ================================== | ||
The official repository for the distribution of grid middleware for EGI sites is | The official repository for the distribution of grid middleware for EGI sites is | ||
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | ||
Sites using the EGI UMD 4 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-4/ | |||
This update is in EGI UMD 4.5.0 | |||
Updates are also available on the dCache site [R 1] | |||
Credit | |||
====== | |||
This vulnerability was reported by Paul Millar of the dCache team. | |||
TLP and URL | |||
=========== | |||
** WHITE information - Unlimited distribution ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323 | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
If you find or become aware of another vulnerability which is relevant to EGI you may | |||
report it by e-mail to | |||
report-vulnerability at egi.eu | |||
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2] | |||
Line 155: | Line 119: | ||
[R 1] https://www.dcache.org/ | [R 1] https://www.dcache.org/ | ||
[R 2] https:// | [R 2] https://documents.egi.eu/public/ShowDocument?docid=2538 | ||
Line 183: | Line 135: | ||
2015-09-10 Update available in UMD | 2015-09-10 Update available in UMD | ||
2015-09-10 Advisory updated. | 2015-09-10 Advisory updated. | ||
2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has | |||
been re-introduced and fixed | |||
2017-03-20 dCache team informed some sites using dCache | |||
2017-08-10 Updated package in UMD. | |||
2017-08-22 Advisory updated, sent to sites, and placed on the wiki | |||
On behalf of the EGI SVG, | On behalf of the EGI SVG, | ||
</pre> | </pre> |
Revision as of 14:08, 22 August 2017
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-9323
Title: **UPDATE - re-introduction** EGI SVG Advisory [TLP:WHITE] "Moderate" RISK - dCache [EGI-SVG-2015-9323] Date: 2015-08-24 Updated: 2015-09-10, 2017-08-22 Affected software and risk ========================== MODERATE risk vulnerability concerning dCache Package :dCache The dCache team has reported that an old vulnerbility from 2015 concerning the "gridftp door", and in the "kerberos ftp door" of dCache has been re-introduced. No other component is affected. Actions required/recommended ============================ Sites running dCache should check whether they are running a vulnerable version, see "Affected software details" below. If they are running a vulnerable version update in due course. Sites running dCache may update nodes hosting either a gridftp door or kerberos-ftp door directly from the dCache site if they wish. **UPDATE 2017-08-11** fixed version is in the UMD 4.0. More information ================= A vulnerability has been found in the "gridftp door", and in the "kerberos ftp door" of dCache. No other component is affected. Fixed versions are available on the dCache site. [R 1] Upgrading all dCache nodes that host either a gridftp or kerberos-ftp door is necessary and sufficient to fix the vulnerability. Affected software details ========================= FIXED versions of dCache: 3.0.11 (& later) note version 3.0.25 is now in UMD-4 2.16.30 (& later) 2.15.33 (& later) 2.14.45 (& later) VULNERABLE versions of dCache: 3.0.0 .. 3.0.10 2.16.0 .. 2.16.29 2.15.0 .. 2.15.32 2.14.0 .. 2.14.44 Mitigation ========== N/A Component installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 4 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-4/ This update is in EGI UMD 4.5.0 Updates are also available on the dCache site [R 1] Credit ====== This vulnerability was reported by Paul Millar of the dCache team. TLP and URL =========== ** WHITE information - Unlimited distribution ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9323 Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 2] References ========== [R 1] https://www.dcache.org/ [R 2] https://documents.egi.eu/public/ShowDocument?docid=2538 Timeline ======== Yyyy-mm-dd 2015-08-18 Vulnerability reported by Paul Millar of the dCache team, stating they had found and fixed vulnerability but not released the patch 2015-08-18 Acknowledgement from the EGI SVG to the reporter 2015-08-20 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-08-24 Updated packages available from dCache site - binary release only 2015-08-24 Advisory sent to sites 2015-09-10 Update available in UMD 2015-09-10 Advisory updated. 2017-03-17 Paul Millar from the dCache team informed SVG that vulnerability has been re-introduced and fixed 2017-03-20 dCache team informed some sites using dCache 2017-08-10 Updated package in UMD. 2017-08-22 Advisory updated, sent to sites, and placed on the wiki On behalf of the EGI SVG,