Difference between revisions of "SVG:Advisory-SVG-2015-9495"
Jump to navigation
Jump to search
Line 3: | Line 3: | ||
<pre> | <pre> | ||
** WHITE information - Unlimited distribution allowed ** | |||
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** | |||
EGI SVG ADVISORY [EGI-SVG-2015-9495] | |||
Title: **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495] | |||
Date: 2015-09-22 | |||
Updated: 2015-09-30, 2015-10-26 | |||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9495 | |||
Introduction | |||
============ | |||
dCache [R 1] is a data storage and retrieval system. | |||
A vulnerability has been found in the dCache SRM server module by the dCache team, who also alerted SVG to this problem. | |||
A fixed binary version is available on the dCache site [R 2]. | |||
**UPDATE** | |||
A fixed version is now available in the EGI UMD. | |||
Details | |||
======= | |||
See the dCache page. [R 1] | |||
Risk category | |||
============= | |||
This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. | |||
Affected software | |||
================= | |||
All dCache versions prior to this patch are affected. | |||
The releases which fix this issue are are: | |||
2.13.9 | |||
2.12.21 | |||
2.11.32 | |||
2.10.41 | |||
2.6.52 | |||
It was noted by the dCache team that several site still run the unsupported 2.6 dCache. Given these sites currently suffer from a High risk vulnerability, dCache have made an additional release: 2.6.52 | |||
Mitigation | |||
========== | |||
N/A. | |||
Component installation information | |||
================================== | |||
Updates are available on the dCache site [R 2] | |||
Release notes are available at the dCache site. | |||
https://www.dcache.org/downloads/1.9/release-notes-2.13.shtml | |||
https://www.dcache.org/downloads/1.9/release-notes-2.12.shtml | |||
https://www.dcache.org/downloads/1.9/release-notes-2.11.shtml | |||
https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml | |||
https://www.dcache.org/downloads/1.9/unsupported/release-notes-2.6.shtml | |||
The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). | |||
Sites using the EGI UMD 3 should see: | |||
http://repository.egi.eu/category/umd_releases/distribution/umd-3/ | |||
**UPDATE** | |||
UMD 3.13.4 has been released and contains the fix for this issue at: | |||
http://repository.egi.eu/2015/09/29/release-umd-3-13-4/ | |||
Other Information | |||
================== | |||
To give sites time to upgrade their dCache, the dCache team will not release any details of the vulnerability at this time. This includes not making public the source-code for the fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability. | |||
During this two week grace period, dCache will make no further releases. | |||
Once the grace-period elapses, all code changes will be pushed into github and dCache will continue normal bug-fix release cycles. | |||
**UPDATE** | |||
A fixed version is now available in the EGI UMD | |||
Recommendations | |||
=============== | |||
Sites are recommended to update the SRM head node component as soon as possible if they have not done so already. | |||
Credit | |||
====== | |||
This vulnerability was discovered by Gerd Behrmann (NDGF) from the dCache team. | |||
References | |||
========== | |||
[R 1] https://www.dcache.org/ | |||
[R 2] https://www.dcache.org/downloads/1.9/ | |||
Comments | |||
======== | |||
Comments or questions should be sent to svg-rat at mailman.egi.eu | |||
We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. | |||
Timeline | |||
======== | |||
Yyyy-mm-dd | |||
2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the dCache team reported to SVG by Patrick Fuhrmann. | |||
2015-09-15 Acknowledgement from the EGI SVG to the reporter | |||
2015-09-18 Assessment by the EGI Software Vulnerability Group reported to the software providers. | |||
2015-09-22 Updated packages available on the dCache site. | |||
2015-09-29 Updated packages available in EGI UMD 3 | |||
2015-09-30 Updated advisory sent to sites | |||
2015-10-26 Advisory placed on public wiki | |||
</pre> | </pre> |
Revision as of 15:47, 26 October 2015
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2015-9495
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2015-9495] Title: **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495] Date: 2015-09-22 Updated: 2015-09-30, 2015-10-26 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9495 Introduction ============ dCache [R 1] is a data storage and retrieval system. A vulnerability has been found in the dCache SRM server module by the dCache team, who also alerted SVG to this problem. A fixed binary version is available on the dCache site [R 2]. **UPDATE** A fixed version is now available in the EGI UMD. Details ======= See the dCache page. [R 1] Risk category ============= This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team. Affected software ================= All dCache versions prior to this patch are affected. The releases which fix this issue are are: 2.13.9 2.12.21 2.11.32 2.10.41 2.6.52 It was noted by the dCache team that several site still run the unsupported 2.6 dCache. Given these sites currently suffer from a High risk vulnerability, dCache have made an additional release: 2.6.52 Mitigation ========== N/A. Component installation information ================================== Updates are available on the dCache site [R 2] Release notes are available at the dCache site. https://www.dcache.org/downloads/1.9/release-notes-2.13.shtml https://www.dcache.org/downloads/1.9/release-notes-2.12.shtml https://www.dcache.org/downloads/1.9/release-notes-2.11.shtml https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml https://www.dcache.org/downloads/1.9/unsupported/release-notes-2.6.shtml The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD 3 should see: http://repository.egi.eu/category/umd_releases/distribution/umd-3/ **UPDATE** UMD 3.13.4 has been released and contains the fix for this issue at: http://repository.egi.eu/2015/09/29/release-umd-3-13-4/ Other Information ================== To give sites time to upgrade their dCache, the dCache team will not release any details of the vulnerability at this time. This includes not making public the source-code for the fix for a 'grace period' of two weeks, as doing so would also reveal information on the vulnerability. During this two week grace period, dCache will make no further releases. Once the grace-period elapses, all code changes will be pushed into github and dCache will continue normal bug-fix release cycles. **UPDATE** A fixed version is now available in the EGI UMD Recommendations =============== Sites are recommended to update the SRM head node component as soon as possible if they have not done so already. Credit ====== This vulnerability was discovered by Gerd Behrmann (NDGF) from the dCache team. References ========== [R 1] https://www.dcache.org/ [R 2] https://www.dcache.org/downloads/1.9/ Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the dCache team reported to SVG by Patrick Fuhrmann. 2015-09-15 Acknowledgement from the EGI SVG to the reporter 2015-09-18 Assessment by the EGI Software Vulnerability Group reported to the software providers. 2015-09-22 Updated packages available on the dCache site. 2015-09-29 Updated packages available in EGI UMD 3 2015-09-30 Updated advisory sent to sites 2015-10-26 Advisory placed on public wiki