|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||More|
** WHITE information - unimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2012-2683] Title: "High" Risk: DPM SQL injection vulnerability Date: 2013-02-08 Updated: 2013-02-19 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2012-2683 Introduction ============ Multiple SQL injection vulnerabilities has been found in DPM (Disk Pool Manager) A new version of DPM which resolves these vulnerabilities is now available in the in the EMI-1 and EMI-2 distributions. This advisory is updated as this new version is now available in EGI UMD-1 and EGI UMD-2. Details ======= Insufficient input validation in parts of the DPM code allow an authenticated user to inject arbitrary SQL commands via the DPM headnode. This could result in unauthorised modification of DPM metadata or, depending on the privileges of the DPM SQL user, the creation of files on the DPM SQL server. The issue was originally assessed as 'Low' risk but some time later an exploit was demonstrated and it was re-assessed as 'High' risk. Risk Category ============= This issue has been assessed as "High" risk by the EGI SVG Risk Assessment Team Affected Software ================= DPM versions up to and including DPM 1.8.5 are affected. This vulnerability has been fixed in DPM 1.8.6 as available in EMI 1 Update 23 and EMI 2 Update 8. The package has also been released in EGI UMD-1 Release 1.10.0 http://repository.egi.eu/2013/02/19/release-umd-1-10-0/ and UMD-2 Release 2.4.0 http://repository.egi.eu/2013/02/18/release-umd-2-4-0/ Mitigation ========== No mitigation is recommended. Component Installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). http://repository.egi.eu/category/umd_releases/distribution/umd_1/ http://repository.egi.eu/category/umd_releases/distribution/umd-2/ Sites installing directly from EMI should see: http://www.eu-emi.eu/emi-2-matterhorn/updates/ http://www.eu-emi.eu/emi-1-kebnekaise-updates/ Recommendations =============== Sites are recommended to update their software as soon as possible. Credit ====== This vulnerability was originally reported by Adam Zabrocki. A serious exploit was demonstrated by Leif Nixon after which the Risk was re-assessed as 'High'. References ========== Timeline ======== Yyyy-mm-dd 2011-08-03 Vulnerability reported by Adam Zabrocki 2011-08-03 Acknowledgement from the EGI SVG to the reporter 2011-08-03 Software providers responded and involved in investigation 2011-09-06 Assessment by the EGI Software Vulnerability Group reported to the software providers (Low risk) 2012-11-13 Re-assessed as 'High' risk after exploit demonstrated by Leif Nixon. 2013-01-28 Updated packages available in the EMI distribution 2013-02-08 Advisory sent as 'Amber' information as past Target Date and sites installing directly from EMI should be made aware of this. 2013-02-19 Updated packages available in the EGI UMD-1 and EGI UMD-2 2013-03-05 Public disclosure on wiki, after allowing sites to upgrade.