Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** AMBER information - Limited distribution                                 **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Critical' RISK - CVMFS root exploit  

Date:        2013-08-14
Updated:     2013-09-26 (Placed on wiki)

Information will be placed on the public wiki in 2 weeks. 



A vulnerability has been found in CVMFS where a user can gain root access.

This was fixed by the CVMFS team, reported to SVG and announced to the 
'CVMFS talk' list on 13th August 2013

EGI SVG is sending this advisory to ensure all sites running CVMFS are 
aware of the problem, in case some sites using CVMFS do not subscribe to 
the CVMFS talk list and to inform of the risk category.   

Sites running CVMFS should upgrade immediately. 


A vulnerability has been found in CVMFS where a user can gain root access.
The bug is in the CVMFS clients, which allows a local user to gain root access.

Risk category

This issue has been assessed as 'Critical' risk by the EGI SVG Risk Assessment Team 

Affected software

Versions of CVMFS prior to 2.1.13 and 2.0.21 are vulnerable. 

cvmfs-2.1.14 and CernVM-FS 2.0.22 are the versions which sites are recommended to run. 

(Note that cvmfs 2.1.13 and 2.0.21 introduced another bug which affected atlas and 
possibly other VOs. This was quickly fixed in cvmfs-2.1.14)

Component installation information

Sites using CVMFS should see the CVMFS portal


Sites running CVMFS should update immediately 

All running resources MUST be either patched or otherwise have a work-around 
in place by 2013-08-21  T21:00+01:00. Sites failing to act and/or failing to 
respond to requests from the EGI CSIRT team risk site suspension. 


This vulnerability was discovered by Dmitrijus Bugelskis from CERN who reported 
it to Remi Mollon in the CERN security Team. 
Remi Mollon then forwarded the information to the CVMFS team and the EGI Software 
Vulnerability Group. 
The fixed version was provided by Jakob Blomer from the CVMFS team at CERN. 


[R 1]


2013-08-?? Vulnerability discovered by Dmitrijus Bugelskis
2013-08-13 Remi Mollon from the CERN security team alerted EGI SVG
2013-08-13 Jakob Blomer of the CVMFS team provided a fix 
2013-08-13 Jakob Blomer alerted cvmfs-talk list to the vulnerability and fix
2013-08-14 Acknowledgement from the EGI SVG 
2013-08-14 Advisory drafted  
2013-08-14 Risk Assessment by the EGI Software Vulnerability Group 
2013-08-14 Advisory sent to sites and NGI security contacts.
2013-09-26 Public disclosure