Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       ** 
** see for distribution restrictions  **
Title:       CREAM Axis2 configuration file permissions [EGI-ADV-20130322]

Date:        2013-03-22
Updated:     2013-04-09

The default installation of glite-ce-yaim-cream-ce creates a configuration file which contains 
Axis2 administration credentials. This file is created with insecure permissions. 

This advisory is updated as the software has been fixed in both the EMI 2 distrubution 
and the EGI UMD 2.
The file $CATALINA_HOME/webapps/ce-cream/WEB-INF/conf/axis2.xml contains userName and password
 parameters. The password is randomly generated when the CREAM RPM is installed. By default the 
axis2.xml configuration file is world readable. An authenticated user could access this file 
and subsequently use these credentials to administer the Axis service. Existing components could 
be disabled or new components uploaded. 
(Updated on 8th April 2013) 

Updated RPMS are now available. 

We strongly recommend sites update with the new version, especially if they have not already 
carried out the mitigation action below. 

This advisory continues to be distributed under the AMBER TLP restriction, and will be made 
public in 2 weeks. 
Risk Category
This issue has been assessed as 'HIGH' risk by the EGI CSIRT and EGI SVG. 
Affected Software
This has been confirmed in the version of CREAM which ships with UMD/EMI2.

This is fixed in the following files:

CREAM 1.14.4, CEMon 1.14.1*.noarch.rpm*.noarch.rpm*.noarch.rpm*.noarch.rpm 

This is fixed in EMI 2 Update 10 and UMD release 2.4.1 
The group ownership and permissions on this file should be changed to prevent 
authenticated users gaining access to this file.
On SL5
chgrp tomcat /var/lib/tomcat5/webapps/ce-cream/WEB-INF/conf/axis2.xml
chmod 640 /var/lib/tomcat5/webapps/ce-cream/WEB-INF/conf/axis2.xml
On SL6
chgrp tomcat /var/lib/tomcat6/webapps/ce-cream/WEB-INF/conf/axis2.xml
chmod 640 /var/lib/tomcat6/webapps/ce-cream/WEB-INF/conf/axis2.xml
We also recommend you change your Axis2 password in the event it has already been 
Generate a new password using "openssl rand -base64 15" and modify the password parameter
in axis2.xml accordingly.
This issue also affects glite-ce-cream-es and glite-ce-monitor. Similar mitigations should 
be performed on these files, if applicable.
The axis2.xml files are located at
Component installation information
Updates are now available.

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD should see:

For information on this release see:

Sites installing directly from EMI should see:

Sites are recommended to update to the latest version, urgently if they have not 
already carried out the mitigation action above.

This vulnerability was reported by Simon Fayer from Imperial College, London

2013-03-19 Vulnerability reported by Simon Fayer
2013-03-19 Acknowledgement from the EGI SVG to the reporter
2013-03-20 Software providers responded and involved in investigation
2013-03-22 Assessment by the EGI Software Vulnerability Group reported to the 
           software providers
2013-03-22 Mitigating action recommended to sites and sent as 'Amber'
2013-04-05 Updated packages available in the EGI UMD
2013-04-09 Updated advisory issued
2013-04-29 Public disclosure