Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @

EGI CSIRT:Alerts/dCache-2011-03-30

From EGIWiki
Jump to navigation Jump to search

** WHITE information - Unlimited distribution allowed                       **
** see for distribution restrictions **

Title:        Critical Vulnerability detected in dCache Admin Web Interface
Date:        date  2011-03-30

Updated:      2011-04-08, 2011-04-19


A vulnerability has been found in the dCache Admin Web Interface software which is part of the dCache distribution.
dCache is one of the Mass Storage Systems commonly used in EGI production environment [R1] 

A specially constructed http request, sent to the dCache admin web interface, allows unauthenticated remote users 
to read arbitrary files on the host where the dCache server httpdDomain is running, with 'root' privileges. 
The access is read-only. Creating, modifying or executing files is not possible. The pnfs/Chimera-file system is not affected.

Risk Category
This issue has been assessed as 'Critical' risk by the EGI CSIRT and EGI SVG Risk Assessment Team  

Affected Software
Components : dCache server
Subcomponent : httpdDomain
Service : dCache Admin Web Server
Since : since ever

Releases : all supported dCache server releases *prior* to:
Note that the version released/to be released in EMI is not affected. 
Information available at [R2]

Component Installation information
Currently software updates are available  from the dcache web-site [R1] - 
instructions are available in [R 2].

Sites using 
1.9.5  should update to and above (e.g. those installed from gLite)            
1.9.10 should update to  1.9.10-7 and above
1.9.11 should update to  1.9.11-4 and above 

EMI - Will include 1.9.5 -25 therefore a fixed version will be in EMI.

Note, it is only necessary to  upgrade the node running the httpdDomain.

Updated 2011-04-07:

Updated version is now available in gLite for gLite 3.2/ 

gLite 3.2:

Release details may be found at

1. Only allow access to the dCache admin web interface (Port 2288) to 
dedicated trusted hosts, using appropriate local firewall settings.

2. Run the httpdDomain as non-root where possible.

3. Run an apache webserver in front of the dCache admin interface with access 
control enabled, which will completely block unauthorized access to the dCache 
admin web server.

Detailed information on how to implement 2. and 3. are available in [R2]

In addition, on the hosts that have been running the admin interface exposed 
to the Internet it is recommended to change all passwords, keys, etc on that 
machine, and carefully check the logs for signs of intrusions like unexpected 
logins, etc.

Update the affected dCache component or apply  the mitigation steps stated 

Other information
As a basic security best practice, it is strongly recommended to restrict 
access to the admin web interface with a firewall also after the security 

EGI-CSIRT will enforce 7-day deadline, failing to act the deadline might lead 
to site suspension. 

All affected resources must either update the affected dCache component or apply  
the mitigation actions stated above, by:

       ***2011-04-07 22:00 CEST (20:00 GMT)***

Updated 2011-04-07 

Updated version of the software is now available from gLite. Sites should update their nodes
supporting httpdDomain as soon as possible, if they have not done so already.

Updating to the latest release is the only way to full resolve the vulnerabilities, sites can 
either upgrade (preferred) or take the mitigation measures now and upgrade later. 

This vulnerability was reported by Patrick Furhmann (dCache).


2011-03-23 	Vulnerability reported by Patrick Fuhrmann (dCache). 

2011-03-25 	Vulnerability Assessed as 'Critical' by the EGI SVG RAT and EGI-

2011-03-25 	Assessment by the EGI Software Vulnerability Group reported to 
the software  providers and packaging team. 

2011-03-30	EGI-CSIRT advisory issued asking sites to either carry out 
                mitigating action, or to upgrade from the dCache web page.

2011-04-07      Updated Version available in gLite.
2011-04-08      Sites informed by CSIRT of availability of updated version in gLite.
2011-04-19      Public disclosure by release of advisory on web.