SVG:Advisory-SVG-2011-504

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-2011-504


Updated 26th January 2012 - Patch available on 24th January 2012 for gLite 3.2.

** WHITE information - Unlimited distribution allowed        **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP  for distribution restrictions **

EGI SVG  ADVISORY [EGI-SVG-2011-504] 

Title:       APEL publisher vulnerability - 'Low' RISK 
Date:        2011-11-18
Updated:     2011-12-21
Updated:     2012-01-24
Updated      2012-01-26

Introduction
============

A  vulnerability has been found in the APEL accounting publisher software, which may allow 
users to make a copy of the host key of the system on which APEL is running. 

This problem has been resolved in the EGI UMD and EMI distributions released. 

This advisory is updated as it is now also resolved in gLite3.2. 

Details
=======

There is a file permission problem in APEL which may allow users to make a copy of the host 
key, this is only a problem if APEL is co-located on another service accessible by the 
user, such as a CE.


Risk Category
=============

This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team 


Affected Software
=================

For EMI/UMD versions
-------------------- 

APEL-publisher versions earlier than version. 3.2.8, containing 
glite-apel-publisher-2.0.16-0, are affected.  

APEL-publisher version. 3.2.8, containing glite-apel-publisher-2.0.16-0 
provides the fix for this issue.

The Fixed version is available in 

UMD 1.4 (or later) 

EMI EMI 1 (Kebnekaise) - Update 10 (24.11.2011)

gLite 3.2  
---------

APEL-publisher versions earlier than glite-apel-publisher-2.0.13-8 are affected
glite-apel-publisher-2.0.13-8 provides the fix for this issue.

This is available from:

http://glite.cern.ch/security_updates 

Update 2

Mitigation
==========

If APEL is co-located with another service  (e.g. a CE) then sites may wish to 
check and change the file permission on the /etc/grid-security/ keystore if necessary.

This should be carried out by sites who are not planning to upgrade shortly.


Component Installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distrbution (UMD).

Sites using the EGI UMD should see:

http://repository.egi.eu/2011/12/19/apel-publisher-3-2-8/


Sites installing directly from EMI may upgrade directly from EMI if they  haven't done so already see: 

EMI-1 site http://www.eu-emi.eu/emi-1-kebnekaise, details of this item are at:

http://www.eu-emi.eu/emi-1-kebnekaise-updates/-/asset_publisher/Ir6q/content/update-10-24-11-2011#APEL_publisher_v_3_2_8_task_2390


gLite 3.2:

gLite 3.2 Security Update 2 available from 
http://glite.cern.ch/security_updates




Recommendations
===============

Sites installing from the EGI UMD or directly from EMI should update their sites in due course.  

Sites installing gLite 3.2 should update in due course.

If sites are have APEL co-located with another service they should consider upgrading soon 
or following the Mitigation.


Other information
=================

This advisory has been updated on 24th January 2012 and made public as the problem is now 
also resolved in gLite 3.2. 

Credit
======

This vulnerability was reported by Valentin Vidic and later independently by Jan Astalos.



Timeline  
========
Yyyy-mm-dd

2010-11-15 Vulnerability reported by Valentin Vidic
2010-11-15 Acknowlegement from the EGI SVG to the reporter
2010-11-15 Software providers responded and involved in investigation
2010-11-23 Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-10-12 Issue found and reported again independently by Jan Astalos
2011-11-24 Updated packages available in EMI   
2011-12-19 Updated version in EGI UMD.
2011-12-21 Advisory distributed to site and NGI security contacts. 
2012-01-24 Advisory updated and uploaded to web page as it is now also resolved in gLite 3.2
2012-01-26 Update to correct Affected software EMI/UMD version and gLite 3.2 version of 
           gLite publisher




Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export