Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:General Advisory Template"

From EGIWiki
Jump to navigation Jump to search
Line 7: Line 7:
E-mail title - as Title   
E-mail title - as Title   


<add or delete sections as needed>
<add or delete sections as needed >


< Choose proper TLP color >
< Choose proper TLP color >
Line 75: Line 75:
=============
=============


This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk  
This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk Assessment Team  
 
Assessment Team  





Revision as of 17:42, 7 January 2016

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

General Advisory Template



(Revised 7th January 2016)

E-mail title - as Title   

<add or delete sections as needed >

< Choose proper TLP color >

** WHITE information - Unlimited distribution allowed                       **  or
** GREEN information - Community wide distribution                          **  or
** AMBER information - Limited distribution                                 **  or
** RED information - Personal for Named Recipients Only                     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **


< Fill in advisory number, title, date, and URL(if WHITE)>
< Title should include the RISK rating (e. g., CRITICAL, HIGH, ...)>
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject as well>


EGI SVG   ADVISORY [EGI-SVG-CVE-<year>-<number>]  if CVE available

EGI SVG   ADVISORY [EGI-SVG-<date of report>-<SW abbreviation>]  

Title:       EGI SVG Advisory <risk> RISK - <refer to any CVE number and include name of 
software  [EGI-SVG-CVE-<year>-<number>]  if CVE available or [EGI-SVG-<date of report>-<SW abbreviation>]  

Date:        <date  yyyy-mm-dd> <1st released>
Updated:     <date  yyyy-mm-dd>

<Put on Wiki for WHITE information only>
<For other - This advisory will be placed on the wiki on or after yyyy-mm-dd>


URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-<year>-<number>
URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<date of report>-<SW abbreviation>

Introduction
============

<Describe the reason for the issuing of this advisory - paragraph 3-5 sentences > 

< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> 

<this could include - e.g. updated as patch available> 

<include cve- number if one has been issued> 

<include EGI RT number for SVG/UMD issues>



Details
=======


<describe the problem, something about why it occurs, and the effect on sites>


<take care not to release anything useful to an attacker, unless it is already public, 
especially if you are sending it in WHITE>

<this should not be long>

<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> 


Risk category
=============

This issue has been assessed as Critical/High/Moderate/Low risk by the EGI SVG Risk Assessment Team 


Affected software
=================

<e.g. which version(s) of Linux are effected>

<e.g. which middleware component is effected within  gLite/ARC/Unicore/Globus/Other>


Mitigation
==========

<Describe mitigation to carry out - this may be to run a script>

< If possible, include either a script and/or include command lines>


Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

Sites who wish to install directly from the EMI release should see: 


http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/


OR

Please note that XXX is no longer maintained in the EMI repository.


XXX is now also available in EPEL

https://fedoraproject.org/wiki/EPEL



<e.g. patch not yet available>

<e.g. patch available from vendor for x system but not y>

<e.g. pointer to UMD release >


OR 

References to appropriate other software. 

OR 

List vendors who have already announced patches with references


Recommendations
===============

<as appropriate e.g.>

<Immediately apply the mitigation described above to all user-accessible systems.>

<Immediately apply vendor kernel updates when they become available.>

<Apply new version in EGI UMD>

<Sites are recommended to update relevant components.>


<(For critical) All running resources MUST be either patched or have mitigation
in place by yyyy-mm-dd  T21:00+01:00. 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk 

site suspension. 

<7 calendar days - but if the date falls on a Friday or common public holiday, 
make it the first working day after people are expected back>


Credit
======

This vulnerability was reported by <if applicable - person who discovers vulnerability>

or

SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability>


References
==========

<Any references to the vulnerability> 
<refer to any public disclosure>
<e.g. Linux vendors info>
<any other info on the problem>

Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu



Timeline  
========
Yyyy-mm-dd

2016-??-?? Vulnerability reported by <name1>  or SVG alerted to this issue by <name1>
2016-??-?? Acknowledgement from the EGI SVG to the reporter
2016-??-?? (if appropriate) Software providers responded and involved in investigation
2016-??-?? Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 
2016-??-?? EGI SVG Risk Assessment completed
2016-??-?? (if appropriate)Risk Reported to the Software Providers
2016-??-?? Updated packages available <in the EGI UMD/other location> 
2016-??-?? Advisory/Alert sent to sites
2016-??-?? Public disclosure


On behalf of the EGI SVG,


| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |

| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |