Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Updated 26th January 2012 - Patch available on 24th January 2012 for gLite 3.2.

** WHITE information - Unlimited distribution allowed        **  

** see  for distribution restrictions **


Title:       APEL publisher vulnerability - 'Low' RISK 
Date:        2011-11-18
Updated:     2011-12-21
Updated:     2012-01-24
Updated      2012-01-26


A  vulnerability has been found in the APEL accounting publisher software, which may allow 
users to make a copy of the host key of the system on which APEL is running. 

This problem has been resolved in the EGI UMD and EMI distributions released. 

This advisory is updated as it is now also resolved in gLite3.2. 


There is a file permission problem in APEL which may allow users to make a copy of the host 
key, this is only a problem if APEL is co-located on another service accessible by the 
user, such as a CE.

Risk Category

This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team 

Affected Software

For EMI/UMD versions

APEL-publisher versions earlier than version. 3.2.8, containing 
glite-apel-publisher-2.0.16-0, are affected.  

APEL-publisher version. 3.2.8, containing glite-apel-publisher-2.0.16-0 
provides the fix for this issue.

The Fixed version is available in 

UMD 1.4 (or later) 

EMI EMI 1 (Kebnekaise) - Update 10 (24.11.2011)

gLite 3.2  

APEL-publisher versions earlier than glite-apel-publisher-2.0.13-8 are affected
glite-apel-publisher-2.0.13-8 provides the fix for this issue.

This is available from: 

Update 2


If APEL is co-located with another service  (e.g. a CE) then sites may wish to 
check and change the file permission on the /etc/grid-security/ keystore if necessary.

This should be carried out by sites who are not planning to upgrade shortly.

Component Installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distrbution (UMD).

Sites using the EGI UMD should see:

Sites installing directly from EMI may upgrade directly from EMI if they  haven't done so already see: 

EMI-1 site, details of this item are at:

gLite 3.2:

gLite 3.2 Security Update 2 available from


Sites installing from the EGI UMD or directly from EMI should update their sites in due course.  

Sites installing gLite 3.2 should update in due course.

If sites are have APEL co-located with another service they should consider upgrading soon 
or following the Mitigation.

Other information

This advisory has been updated on 24th January 2012 and made public as the problem is now 
also resolved in gLite 3.2. 


This vulnerability was reported by Valentin Vidic and later independently by Jan Astalos.


2010-11-15 Vulnerability reported by Valentin Vidic
2010-11-15 Acknowlegement from the EGI SVG to the reporter
2010-11-15 Software providers responded and involved in investigation
2010-11-23 Assessment by the EGI Software Vulnerability Group reported to the software providers
2011-10-12 Issue found and reported again independently by Jan Astalos
2011-11-24 Updated packages available in EMI   
2011-12-19 Updated version in EGI UMD.
2011-12-21 Advisory distributed to site and NGI security contacts. 
2012-01-24 Advisory updated and uploaded to web page as it is now also resolved in gLite 3.2
2012-01-26 Update to correct Affected software EMI/UMD version and gLite 3.2 version of 
           gLite publisher