Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:General Advisory Template"

From EGIWiki
Jump to navigation Jump to search
 
(36 intermediate revisions by 3 users not shown)
Line 2: Line 2:


<pre>
<pre>
<2021-01-04>
Dates for 2021>
<2020-03-10>
Include Creative Commons Licence for [WHITE]
<Most cases 'ADVISORY' >
<4 Options>
< ‘HEADS UP’ – Sites may be asked to do something urgently soon.
      Usually only for vulnerabilities which may be a ‘Critical’>
< ‘ADVISORY’ – Sites normally instructed to do something
    The Commonest type of mail, e.g. update when vulnerability fixed in software>
< ‘ALERT’ – Sites should be aware
This may be important to you, you may want to take action. Often ask for feedback
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG. >
< ‘INFORMATION’ – to inform sites of something
E.g. if a well talked about vulnerability is not relevant>
< E-mail title - as Title > 


<add or delete sections as needed>
<add or delete sections as needed>
<add any information required, template is to help, not rigid>
< Fill in advisory number, title, date, and URL>
< Only upload if 'WHITE'> 
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...) if available>
< Title should include software affected>
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject, and on the wiki, but not included in mail itself. >
< The date section should only be included on the wiki>
< So then the e-mail title starts with the type of notification, then TLP followed by affected software and risk> 
Title:      EGI SVG 'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] 
Date:        <date  yyyy-mm-dd> <1st released>
Updated:    <date  yyyy-mm-dd>
Affected software and risk
==========================


< Choose proper TLP color >
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package>
** WHITE information - Unlimited distribution allowed                      **  or
 
** GREEN information - Community wide distribution                          ** or
Package :<Name of package>
** AMBER information - Limited distribution                                ** or
CVE ID :<Include CVE's if present>
** RED information - Personal for Named Recipients Only                    **
Bug ID :<Any identifier by package provider if applicable>


** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
<A few sentences describing the problem > <It was found that SillySoftware exposes users to
unhealthy levels of  cute cat pictures. Dog lovers are not at risk. The exposure is present in
versions up to 11.>




< Fill in advisory number, title, date, and URL(if WHITE)>
Actions required/recommended
< Title should be prepended by the RISK rating (e. g., CRITICAL, HIGH, ...)>
============================
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject as well>


<as appropriate e.g.>


EGI CSIRT ADVISORY [EGI-ADV-yyyymmdd] or
<Sites are required to immediately apply the mitigation described below to all user-accessible systems.>
EGI SVG  ADVISORY [EGI-SVG-yyyymmdd]


Title:      <Title RISK - refer to any CVE number and include name software [EGI-ADV-YYYYMMDD]
<Sites running xxx are required to urgently apply vendor kernel updates.>
<Sites running yyy are required to urgently install new version>


>
<Sites are recommended to update relevant components as soon as it is convenient>
Date:        <date  yyyy-mm-dd>
Updated:    <date  yyyy-mm-dd>


<Put on Wiki for WHITE information only>
<(For critical) All running resources MUST be either patched or have mitigation
in place or software removed by yyyy-mm-dd  00:00 UTC


URL:        https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/<xxx>-yyyy-mm-dd  or
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. >
URL:        https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<yyyy>-<number>  


Introduction
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or
============
common public holiday, make it the first working day after people are expected back>


<Describe the reason for the issuing of this advisory - paragraph 3-5 sentences >  
<If  high and may become critical>


< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.>  
<Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure
this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch within 7 days or risk suspension. >


<this could include - e.g. updated as patch available>


<include cve- number if one has been issued>  
<Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure
then please inform EGI SVG.>


<include EGI RT number for SVG/UMD issues>
Component installation information
==================================


The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).


Sites using the EGI UMD 4 should see:


Details
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
=======




<describe the problem, something about why it occurs, and the effect on sites>
XXX is now (also) available in EPEL


https://fedoraproject.org/wiki/EPEL


<take care not to release anything useful to an attacker, unless it is already public,
especially if you are sending it in WHITE>


<this should not be long>
<e.g. patch not yet available>


<e.g. patch available from vendor for x system but not y>


<e.g. pointer to UMD release >


Risk Category
OR
=============


<This issue has been assess as Critical/High/Moderate/Low risk by the EGI CSIRT and/or EGI SVG
<refer to wlcg repository http://linuxsoft.cern.ch/wlcg/ >
Risk Assessment Team as appropriate> 
<if critical - include critical in title and e-mail title>


OR


Affected Software
<References to appropriate other software.>
=================


<e.g. which version(s) of Linux are effected>
OR


<e.g. which middleware component is effected within  gLite/ARC/Unicore/Globus/Other>
<List vendors who have already announced patches with references>




Line 82: Line 131:
==========
==========


<Describe mitigation to carry out - this may be to run a script>
<If appropriate - Describe mitigation to carry out - this may be to run a script>


< If possible, include either a script and/or include command lines>
< If possible, include either a script and/or include command lines>


< or refer to vendors mitivation>
Affected software details
=========================
<This can be omitted if the situation is sufficiently simple to include version info in the
affected software and risk. For example this may be included if it is quite complex which versions
of e.g. Linux are affected.>
<e.g. which version(s) of Linux are effected>
<e.g. which middleware component is effected within  gLite/ARC/Unicore/Globus/Other>
More information
================
<Describe the reason for the issuing of this advisory> 
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.>
<this could include - e.g. updated as patch available>
<include cve- number if one has been issued>
<describe the problem, something about why it occurs, and the effect on sites>
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.>
TLP and URL
===========


Component Installation information
< Choose proper TLP color >
==================================


<e.g. patch not yet available>
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***   


<e.g. patch available from vendor for x system but not y>


<e.g. pointer to UMD release >
                 
or


** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


Recommendations
or
===============
                        **  or
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** 


<as appropriate e.g.>
or


<Immediately apply the mitigation described above to all user-accessible systems.>
** RED information - Personal for Named Recipients Only -  see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


<Immediately apply vendor kernel updates when they become available.>
<Put on Wiki for WHITE information only>


<List vendors who have already announced patches>
<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd  (2 weeks later). There may be other reasons why not public. >


<Apply new version in EGI UMD>
URL:  https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number>  or
URL:  https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID>   


<Sites are recommended to update relevant components.>
Minor updates may be made without re-distribution to the sites




<(For critical) All running resources MUST be either patched or otherwise have a
Comments
work-around in place by yyyy-mm-dd  T21:00+01:00.
========


<7 calendar days - but if the date falls on a Friday, weekend, or common public holiday,
Comments or questions should be sent to svg-rat  at  mailman.egi.eu
make it the first working day after people are expected back>


If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to 


Credit
report-vulnerability at egi.eu
======
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R X] 


This vulnerability was reported by <if applicable - person who discovers vulnerability>
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era.




Line 134: Line 222:
<any other info on the problem>
<any other info on the problem>


<Useful skeletons>
< NVD  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-nnnn >
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-nnnn  >


Timeline <probably SVG/EGI UMD issues only>
< Red Hat https://access.redhat.com/security/cve/CVE-2021-nnnn >
 
< https://www.scientificlinux.org/category/sl-errata/ >
 
< CentOS https://lists.centos.org/pipermail/centos-announce/ >
 
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2021-nnnn.html >
 
< Debian https://security-tracker.debian.org/tracker/CVE-2021-nnnn >
 
 
[R X] https://documents.egi.eu/public/ShowDocument?docid=3145
 
Credit
======
 
This vulnerability was reported by <if applicable - person who discovers vulnerability>
 
or
 
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability>
 
 
Timeline 
========
========
Yyyy-mm-dd
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>]
 
2021-??-?? Vulnerability reported by <name1>  or SVG alerted to this issue by <name1>
2021-??-?? Acknowledgement from the EGI SVG to the reporter
2021-??-?? (if appropriate) Software providers responded and involved in investigation
2021-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate)
2021-??-?? EGI SVG Risk Assessment completed
2021-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers
2021-??-?? Updated packages available <in the EGI UMD/other location>
2021-??-?? Advisory/Alert sent to sites
2021-??-?? Public disclosure
 
 
Context
=======


2011-??-?? Vulnerability reported by <name1> WE NEED TO ASK HIM/HER BEFORE PUTTING HIS/HER NAME
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
2011-??-?? Acknowledgement from the EGI SVG to the reporter
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
2011-??-?? Software providers responded and involved in investigation
2011-??-?? Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-??-?? Updated packages available <in the EGI UMD/other location>
2011-??-?? Public disclosure


The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R X]  in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. 


For [WHITE] information:--


-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited.
-----------------------------


On behalf of the <EGI CSIRT / EGI CSIRT and SVG / EGI SVG  as appropriate>  ,


For [GREEN] and [AMBER] informatin:--
-----------------------------
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
------------------------------
Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.
On behalf of the EGI SVG,




</pre>
</pre>


{{svg-rat-info}}
{{svg-rat-info}}
{{svg-issue-views}}
{{svg-issue-views}}

Latest revision as of 11:33, 24 February 2021

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

General Advisory Template



<2021-01-04>

Dates for 2021> 

<2020-03-10>

Include Creative Commons Licence for [WHITE] 

<Most cases 'ADVISORY' >

<4 Options>

< ‘HEADS UP’ – Sites may be asked to do something urgently soon. 
       Usually only for vulnerabilities which may be a ‘Critical’>
< ‘ADVISORY’ – Sites normally instructed to do something
    The Commonest type of mail, e.g. update when vulnerability fixed in software>
< ‘ALERT’ – Sites should be aware
This may be important to you, you may want to take action. Often ask for feedback
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG. >
< ‘INFORMATION’ – to inform sites of something
E.g. if a well talked about vulnerability is not relevant>


< E-mail title - as Title >  

<add or delete sections as needed>
<add any information required, template is to help, not rigid>

< Fill in advisory number, title, date, and URL>
< Only upload if 'WHITE'>  
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...) if available>
< Title should include software affected>
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject, and on the wiki, but not included in mail itself. >
< The date section should only be included on the wiki> 
< So then the e-mail title starts with the type of notification, then TLP followed by affected software and risk>   
 

Title:       EGI SVG 'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if 
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>]  

Date:        <date  yyyy-mm-dd> <1st released>
Updated:     <date  yyyy-mm-dd>


Affected software and risk
==========================

<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package>

Package :<Name of package>
CVE ID  :<Include CVE's if present>
Bug ID  :<Any identifier by package provider if applicable>

<A few sentences describing the problem > <It was found that SillySoftware exposes users to 
unhealthy levels of  cute cat pictures. Dog lovers are not at risk. The exposure is present in 
versions up to 11.>


Actions required/recommended
============================

<as appropriate e.g.>

<Sites are required to immediately apply the mitigation described below to all user-accessible systems.>

<Sites running xxx are required to urgently apply vendor kernel updates.>
 
<Sites running yyy are required to urgently install new version>

<Sites are recommended to update relevant components as soon as it is convenient>

<(For critical) All running resources MUST be either patched or have mitigation
in place or software removed by yyyy-mm-dd  00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. >

<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or 
common public holiday, make it the first working day after people are expected back>

<If  high and may become critical>

<Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure 
this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch within 7 days or risk suspension. >


<Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure 
then please inform EGI SVG.>

Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 4 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-4/


XXX is now (also) available in EPEL

https://fedoraproject.org/wiki/EPEL


<e.g. patch not yet available>

<e.g. patch available from vendor for x system but not y>

<e.g. pointer to UMD release >

OR

<refer to wlcg repository http://linuxsoft.cern.ch/wlcg/ >

OR 

<References to appropriate other software.> 

OR 

<List vendors who have already announced patches with references>


Mitigation
==========

<If appropriate - Describe mitigation to carry out - this may be to run a script>

< If possible, include either a script and/or include command lines>

< or refer to vendors mitivation> 



Affected software details
=========================

<This can be omitted if the situation is sufficiently simple to include version info in the 
affected software and risk. For example this may be included if it is quite complex which versions 
of e.g. Linux are affected.>

<e.g. which version(s) of Linux are effected>

<e.g. which middleware component is effected within  gLite/ARC/Unicore/Globus/Other>


More information
================

<Describe the reason for the issuing of this advisory>  

< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> 

<this could include - e.g. updated as patch available> 

<include cve- number if one has been issued> 

<describe the problem, something about why it occurs, and the effect on sites>

<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> 



TLP and URL
===========

< Choose proper TLP color >

** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions***    


                   
or 

** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

or 
                         **  or
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  

or

** RED information - Personal for Named Recipients Only -  see 
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

<Put on Wiki for WHITE information only>

<(If not public and High or Critical) - This advisory will be placed on the wiki on or after yyyy-mm-dd  (2 weeks later). There may be other reasons why not public. >

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number>  or
URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID>    

Minor updates may be made without re-distribution to the sites


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R X]  

Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. 


References
==========

<Any references to the vulnerability> 
<refer to any public disclosure>
<e.g. Linux vendors info>
<any other info on the problem>

<Useful skeletons>

< NVD  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-nnnn >

< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-nnnn  >

< Red Hat https://access.redhat.com/security/cve/CVE-2021-nnnn >

< https://www.scientificlinux.org/category/sl-errata/ >

< CentOS  https://lists.centos.org/pipermail/centos-announce/ >

< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2021-nnnn.html > 

< Debian https://security-tracker.debian.org/tracker/CVE-2021-nnnn > 


[R X] https://documents.egi.eu/public/ShowDocument?docid=3145

Credit
======

This vulnerability was reported by <if applicable - person who discovers vulnerability>

or

SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability>


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-<year>-<RT-number>] 

2021-??-?? Vulnerability reported by <name1>  or SVG alerted to this issue by <name1>
2021-??-?? Acknowledgement from the EGI SVG to the reporter
2021-??-?? (if appropriate) Software providers responded and involved in investigation
2021-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 
2021-??-?? EGI SVG Risk Assessment completed
2021-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported to the software providers 
2021-??-?? Updated packages available <in the EGI UMD/other location> 
2021-??-?? Advisory/Alert sent to sites
2021-??-?? Public disclosure


Context
=======

This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose 
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"

The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R X]  in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used.   

For [WHITE] information:--

-----------------------------
This advisory is subject to the Creative commons licence https://creativecommons.org/licenses/by/4.0/ and the EGI https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------


For [GREEN] and [AMBER] informatin:-- 

-----------------------------
Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
------------------------------

Note that the SVG issue handling procedure is currently under review, to take account of the increasing inhomogeneity of the EGI infrastructure and the services in the EOSC-hub catalogue.

On behalf of the EGI SVG,



| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |