|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||RAT/Membership||Documents||Assessment||Secure Coding||Info for SVG members|
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2011-3202] Title: 'Low' RISK - L&B servers not being checked properly Date: 2013-02-25 Updated: URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2011-3202 Introduction ============ A vulnerability has been found in gLite Logging and Bookkeeping client, where although the validity of the X509 certificate is checked properly, the identity of the servers is not properly checked. This has been resolved in the version of L&B available in the EGI UMD 2, EMI 2, EGI UMD 1 and EMI 1. Details ======= A vulnerability has been found in gLite Logging and Bookkeeping client, where although the validity of the X509 certificate is checked properly, the identity of the servers is not properly checked. This vulnerability exists but is difficult to exploit, difficult to gain anything from an exploit, and probably not exploitable without being traceable. Risk Category ============= This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team. Affected Software ================= Logging and Bookkeeping version 3.0.12 and earlier. This is resolved in Logging and Bookkeeping version 3.2.9 Sites wishing to ensure they have a fixed version should look for glite-lbjp-common-gss-3.1.3 or later. This is included in UMD version UMD 2.1.0 This is included in UMD version UMD 1.10.0 Component Installation information ================================== The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). Sites using the EGI UMD should see: http://repository.egi.eu/category/umd_releases/distribution/umd-2/ http://repository.egi.eu/category/umd_releases/distribution/umd_1/ For sites installing directly from EMI Sites installing directly from EMI should see: http://www.eu-emi.eu/emi-2-matterhorn/updates/ http://www.eu-emi.eu/emi-1-kebnekaise-updates/ Recommendations =============== Sites are recommended to update their systems in due course, if they are not already running a version of the Logging and Bookkeeping which has this issue resolved. Credit ====== This vulnerability was reported by Daniel Kouril. References ========== Timeline ======== Yyyy-mm-dd 2011-11-29 Vulnerability reported by Daniel Kouril 2011-11-29 Acknowledgement from the EGI SVG to the reporter 2011-12-29 Software providers responded and involved in investigation 2011-12-02 Assessment by the EGI Software Vulnerability Group reported to the software providers 2012-08-06 Updated packages available in the EGI UMD-2 2012-12-17 SVG checked the status with the developers, as no progress had been reported. Found to have been resolved in August for EGI UMD 2, but not yet for EGI UMD 1 so decided to wait until fully resolved as 'Low' risk. 2013-02-25 Confirmed that it is now resolved in UMD-1 2013-02-25 Public disclosure This is a placeholder for Vulnerability issue 3202. The advisory has not been publicly released yet.