The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
Difference between revisions of "SVG:General Advisory Template"
Jump to navigation
Jump to search
(reflect recent advisory wordings and order of sections) |
|||
| Line 3: | Line 3: | ||
<pre> | <pre> | ||
< 2017-01-12 updated dates for 2017, added some 'skeleton' references > | |||
< E-mail title - as Title > | < E-mail title - as Title > | ||
| Line 13: | Line 15: | ||
< Title should include software affected> | < Title should include software affected> | ||
< If applicable, a CVE number or the like should be included > | < If applicable, a CVE number or the like should be included > | ||
< The title should be used as mail subject, and on the wiki, but not included in mail itself. > | < The title should be used as mail subject, and on the wiki, but not included in mail | ||
itself. > | |||
< The date should only be used on the wiki too > | < The date should only be used on the wiki too > | ||
< So then the e-mail starts with the TLP followed by affected software and risk. | < So then the e-mail starts with the TLP followed by affected software and risk. | ||
Title: EGI SVG Advisory [TLP:<Choose TLP colour>]<RISK> risk <cve, software, other info > if | Title: EGI SVG Advisory [TLP:<Choose TLP colour>]<RISK> risk <cve, software, | ||
other info > if | |||
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] | CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>] | ||
| Line 34: | Line 40: | ||
Bug ID :<Any identifier by package provider if applicable> | Bug ID :<Any identifier by package provider if applicable> | ||
<A few sentences describing the problem > <It was found that SillySoftware exposes users to | <A few sentences describing the problem > <It was found that SillySoftware exposes | ||
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is present in | |||
users to | |||
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is | |||
present in | |||
versions up to 11.> | versions up to 11.> | ||
| Line 44: | Line 54: | ||
<as appropriate e.g.> | <as appropriate e.g.> | ||
<Sites are required to immediately apply the mitigation described below to all user-accessible systems.> | <Sites are required to immediately apply the mitigation described below to all user- | ||
accessible systems.> | |||
<Sites running xxx are required to urgently apply vendor kernel updates.> | <Sites running xxx are required to urgently apply vendor kernel updates.> | ||
| Line 55: | Line 67: | ||
in place or software removed by yyyy-mm-dd 00:00 UTC | in place or software removed by yyyy-mm-dd 00:00 UTC | ||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. > | Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk | ||
site suspension. > | |||
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a | |||
Friday or | |||
common public holiday, make it the first working day after people are expected back> | common public holiday, make it the first working day after people are expected back> | ||
| Line 64: | Line 80: | ||
========================= | ========================= | ||
<This can be omitted if the situation is sufficiently simple to include version info in the | <This can be omitted if the situation is sufficiently simple to include version info in | ||
affected software and risk. For example this may be included if it is quite complex which versions | |||
the | |||
affected software and risk. For example this may be included if it is quite complex | |||
which versions | |||
of e.g. Linux are affected.> | of e.g. Linux are affected.> | ||
| Line 78: | Line 98: | ||
<Describe the reason for the issuing of this advisory> | <Describe the reason for the issuing of this advisory> | ||
< A vulnerability has been found in <xxx> software which is part of the <yyy> distribution.> | < A vulnerability has been found in <xxx> software which is part of the <yyy> | ||
distribution.> | |||
<this could include - e.g. updated as patch available> | <this could include - e.g. updated as patch available> | ||
| Line 86: | Line 108: | ||
<describe the problem, something about why it occurs, and the effect on sites> | <describe the problem, something about why it occurs, and the effect on sites> | ||
<In the case of announced vulnerabilities, simply a reference to the SW provider's info may be sufficient.> | <In the case of announced vulnerabilities, simply a reference to the SW provider's info | ||
may be sufficient.> | |||
| Line 92: | Line 116: | ||
========== | ========== | ||
<Describe mitigation to carry out - this may be to run a script> | <If appropriate - Describe mitigation to carry out - this may be to run a script> | ||
< If possible, include either a script and/or include command lines> | < If possible, include either a script and/or include command lines> | ||
< or refer to vendors mitivation> | |||
| Line 141: | Line 167: | ||
< Choose proper TLP color > | < Choose proper TLP color > | ||
** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | ** WHITE information - Unlimited distribution - see | ||
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | |||
distribution restrictions*** | distribution restrictions*** | ||
or | or | ||
** GREEN information - Community wide distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP | ** GREEN information - Community wide distribution - see | ||
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP | |||
for distribution restrictions ** | for distribution restrictions ** | ||
or | or | ||
** or | ** or | ||
** AMBER information - Limited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | ** AMBER information - Limited distribution - see | ||
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for | |||
distribution restrictions ** | distribution restrictions ** | ||
| Line 160: | Line 192: | ||
<Put on Wiki for WHITE information only> | <Put on Wiki for WHITE information only> | ||
<(If not public and High or Critical) - This advisory will be placed on the wiki on or | <(If not public and High or Critical) - This advisory will be placed on the wiki on or | ||
yyyy-mm-dd (2 weeks later). There may be other reasons why not public. > | after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. > | ||
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or | URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or | ||
| Line 175: | Line 207: | ||
Comments or questions should be sent to svg-rat at mailman.egi.eu | Comments or questions should be sent to svg-rat at mailman.egi.eu | ||
If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to | If you find or become aware of a vulnerability which is relevant to EGI you may report | ||
it by e-mail to | |||
report-vulnerability at egi.eu | report-vulnerability at egi.eu | ||
| Line 190: | Line 224: | ||
<any other info on the problem> | <any other info on the problem> | ||
<Useful skeletons> | |||
< NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-nnnn > | |||
< https://www.scientificlinux.org/> | |||
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-nnnn > | |||
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2017-nnnn.html > | |||
< Debian https://security-tracker.debian.org/tracker/CVE-2017-nnnn > | |||
< CentOS https://lists.centos.org/ > | |||
< Red Hat https://access.redhat.com/security/cve/CVE-2017-nnnn > | |||
[R X] https://documents.egi.eu/public/ShowDocument?docid=2538 | |||
Credit | Credit | ||
| Line 198: | Line 251: | ||
or | or | ||
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a vulnerability> | SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a | ||
vulnerability> | |||
| Line 205: | Line 260: | ||
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] | Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>] | ||
2017-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1> | |||
2017-??-?? Acknowledgement from the EGI SVG to the reporter | |||
2017-??-?? (if appropriate) Software providers responded and involved in investigation | |||
2017-??-?? Investigation of vulnerability and relevance to EGI carried out by (as | |||
appropriate) | |||
2017-??-?? EGI SVG Risk Assessment completed | |||
2017-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported | |||
to the software providers | |||
2017-??-?? Updated packages available <in the EGI UMD/other location> | |||
2017-??-?? Advisory/Alert sent to sites | |||
2017-??-?? Public disclosure | |||
| Line 222: | Line 281: | ||
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | ||
The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R | The risk is that assessed by the group, according to the EGI SVG issue handling | ||
procedure [R X] in the context of how the software is used in the EGI infrastructure. | |||
It is the opinion of the group, we do not guarantee it to be correct. The risk may also | |||
be higher or lower in other deployments depending on how the software is used. | |||
Others may re-use this information provided they:- | Others may re-use this information provided they:- | ||
| Line 233: | Line 298: | ||
On behalf of the EGI SVG, | On behalf of the EGI SVG, | ||
Revision as of 14:28, 12 January 2017
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
General Advisory Template
< 2017-01-12 updated dates for 2017, added some 'skeleton' references >
< E-mail title - as Title >
<add or delete sections as needed>
< Fill in advisory number, title, date, and URL(if WHITE)>
< Title should include the RISK rating (e. g. CRITICAL, HIGH, ...)>
< Title should include software affected>
< If applicable, a CVE number or the like should be included >
< The title should be used as mail subject, and on the wiki, but not included in mail
itself. >
< The date should only be used on the wiki too >
< So then the e-mail starts with the TLP followed by affected software and risk.
Title: EGI SVG Advisory [TLP:<Choose TLP colour>]<RISK> risk <cve, software,
other info > if
CVE [EGI-SVG-<cve>] else [EGI-SVG-<year>-<RT-number>]
Date: <date yyyy-mm-dd> <1st released>
Updated: <date yyyy-mm-dd>
Affected software and risk
==========================
<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability concerning <software/package>
Package :<Name of package>
CVE ID :<Include CVE's if present>
Bug ID :<Any identifier by package provider if applicable>
<A few sentences describing the problem > <It was found that SillySoftware exposes
users to
unhealthy levels of cute cat pictures. Dog lovers are not at risk. The exposure is
present in
versions up to 11.>
Actions required/recommended
============================
<as appropriate e.g.>
<Sites are required to immediately apply the mitigation described below to all user-
accessible systems.>
<Sites running xxx are required to urgently apply vendor kernel updates.>
<Sites running yyy are required to urgently install new version>
<Sites are recommended to update relevant components as soon as it is convenient>
<(For critical) All running resources MUST be either patched or have mitigation
in place or software removed by yyyy-mm-dd 00:00 UTC
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk
site suspension. >
<7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a
Friday or
common public holiday, make it the first working day after people are expected back>
Affected software details
=========================
<This can be omitted if the situation is sufficiently simple to include version info in
the
affected software and risk. For example this may be included if it is quite complex
which versions
of e.g. Linux are affected.>
<e.g. which version(s) of Linux are effected>
<e.g. which middleware component is effected within gLite/ARC/Unicore/Globus/Other>
More information
================
<Describe the reason for the issuing of this advisory>
< A vulnerability has been found in <xxx> software which is part of the <yyy>
distribution.>
<this could include - e.g. updated as patch available>
<include cve- number if one has been issued>
<describe the problem, something about why it occurs, and the effect on sites>
<In the case of announced vulnerabilities, simply a reference to the SW provider's info
may be sufficient.>
Mitigation
==========
<If appropriate - Describe mitigation to carry out - this may be to run a script>
< If possible, include either a script and/or include command lines>
< or refer to vendors mitivation>
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
Sites using the EGI UMD 4 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
Sites using the EGI UMD 3 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
Please note the EMI repositories are no longer maintained.
XXX is now (also) available in EPEL
https://fedoraproject.org/wiki/EPEL
<e.g. patch not yet available>
<e.g. patch available from vendor for x system but not y>
<e.g. pointer to UMD release >
OR
<References to appropriate other software.>
OR
<List vendors who have already announced patches with references>
TLP and URL
===========
< Choose proper TLP color >
** WHITE information - Unlimited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for
distribution restrictions***
or
** GREEN information - Community wide distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP
for distribution restrictions **
or
** or
** AMBER information - Limited distribution - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for
distribution restrictions **
or
** RED information - Personal for Named Recipients Only - see
https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
<Put on Wiki for WHITE information only>
<(If not public and High or Critical) - This advisory will be placed on the wiki on or
after yyyy-mm-dd (2 weeks later). There may be other reasons why not public. >
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<year>-<RT-number> or
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-<CVE ID>
Minor updates may be made without re-distribution to the sites
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may report
it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
References
==========
<Any references to the vulnerability>
<refer to any public disclosure>
<e.g. Linux vendors info>
<any other info on the problem>
<Useful skeletons>
< NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-nnnn >
< https://www.scientificlinux.org/>
< http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-nnnn >
< Ubuntu http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2017-nnnn.html >
< Debian https://security-tracker.debian.org/tracker/CVE-2017-nnnn >
< CentOS https://lists.centos.org/ >
< Red Hat https://access.redhat.com/security/cve/CVE-2017-nnnn >
[R X] https://documents.egi.eu/public/ShowDocument?docid=2538
Credit
======
This vulnerability was reported by <if applicable - person who discovers vulnerability>
or
SVG was alerted to this vulnerability by <if applicable - person who alerts SVG to a
vulnerability>
Timeline
========
Yyyy-mm-dd [EGI-SVG-<year>-<RT-number>]
2017-??-?? Vulnerability reported by <name1> or SVG alerted to this issue by <name1>
2017-??-?? Acknowledgement from the EGI SVG to the reporter
2017-??-?? (if appropriate) Software providers responded and involved in investigation
2017-??-?? Investigation of vulnerability and relevance to EGI carried out by (as
appropriate)
2017-??-?? EGI SVG Risk Assessment completed
2017-??-?? (if appropriate)Assessment by the EGI Software Vulnerability Group reported
to the software providers
2017-??-?? Updated packages available <in the EGI UMD/other location>
2017-??-?? Advisory/Alert sent to sites
2017-??-?? Public disclosure
Context
=======
This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities"
The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R X] in the context of how the software is used in the EGI infrastructure.
It is the opinion of the group, we do not guarantee it to be correct. The risk may also
be higher or lower in other deployments depending on how the software is used.
Others may re-use this information provided they:-
1) Respect the provided TLP classification
2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
On behalf of the EGI SVG,
| RAT Issue Handling Instructions | RAT Issue Handling Templates | RAT Issue Handling Templates contd | SVG-CSIRT Critical Notes | Advisory Template |
| Issue Handling Summary | Reporters | SVG View | Software Providers | EGI MW Unit | Deployment | Notes on Risk |