From EGIWiki
Jump to: navigation, search
Main page Issue Handling RAT Membership Documents Meetings Assessment Secure Coding Advisories Notes On Risk Advisory Template


** WHITE information - unimited distribution allowed                        **

** see for distribution restrictions **


Title:       "High" Risk: DPM SQL injection vulnerability
Date:        2013-02-08
Updated:     2013-02-19



Multiple SQL injection vulnerabilities has been found in DPM (Disk Pool Manager)

A new version of DPM which resolves these vulnerabilities is now available 
in the in the EMI-1 and EMI-2 distributions.

This advisory is updated as this new version is now available in 
EGI UMD-1 and EGI UMD-2. 


Insufficient input validation in parts of the DPM code allow an authenticated 
user to inject arbitrary SQL commands via the DPM headnode.  This could result 
in unauthorised modification of DPM metadata or, depending on the privileges 
of the DPM SQL user, the creation of files on the DPM SQL server.

The issue was originally assessed as 'Low' risk but some time later an exploit 
was demonstrated and it was re-assessed as 'High' risk. 

Risk Category

This issue has been assessed as "High" risk by the EGI SVG Risk Assessment Team

Affected Software

DPM versions up to and including DPM 1.8.5 are affected.

This vulnerability has been fixed in DPM 1.8.6 as available 
in EMI 1 Update 23 and EMI 2 Update 8.

The package has also been released in EGI UMD-1  
Release 1.10.0

and UMD-2 Release 2.4.0


No mitigation is recommended.

Component Installation information

The official repository for the distribution of grid middleware for EGI sites 
is which contains the EGI Unified Middleware Distribution (UMD).

Sites installing directly from EMI should see:


Sites are recommended to update their software as soon as possible. 


This vulnerability was originally reported by  Adam Zabrocki. 
A serious exploit was demonstrated by Leif Nixon after which the Risk was 
re-assessed as 'High'.



2011-08-03 Vulnerability reported by Adam Zabrocki
2011-08-03 Acknowledgement from the EGI SVG to the reporter
2011-08-03 Software providers responded and involved in investigation
2011-09-06 Assessment by the EGI Software Vulnerability Group reported to the
           software providers (Low risk)
2012-11-13 Re-assessed as 'High' risk after exploit demonstrated by Leif Nixon.
2013-01-28 Updated packages available in the EMI distribution
2013-02-08 Advisory sent as 'Amber' information as past Target Date and sites
           installing directly from EMI should be made aware of this.
2013-02-19 Updated packages available in the EGI UMD-1 and EGI UMD-2 
2013-03-05 Public disclosure on wiki, after allowing sites to upgrade.

Personal tools