The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-2013-6052
Jump to navigation
Jump to search
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-2013-6052
** WHITE information - Unlimited distribution allowed **
** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2013-6052]
Title: EGI SVG Advisory 'Moderate' RISK - PerfSONAR web interface vulnerabilities
[EGI-SVG-2013-6052]
Date: 2014-08-05
Updated:
URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2013-6052
Introduction
============
Web interface vulnerabilities have been found in PerfSONAR.
These have been fixed some time ago in Perfsonar.
Note that more serious vulnerabilities have been found in perfSONAR since this was
fixed, and sites asked to update. Therefore this advisory is simply for completeness
and to acknowledge the reporter of these vulnerabilities. See [R 2]
For this reason this advisory is only placed on the wiki and not e-mailed to sites.
Details
=======
PerfSONAR is widely used in the EGI infrastructure. [R 1]
A vulnerability has been found in the web interface which allows users to obtain
information which should not be available to them.
This was fixed by the Perfsonar team.
Risk category
=============
This issue has been assessed as 'Moderate' risk by the EGI SVG Risk Assessment Team
Affected software
=================
Perfsonar.
Mitigation
==========
None.
Information from perfSONAR
==================================
Release notes are available at [R 3]
which includes a fix for this.
Recommendations
===============
No recommendations are made as sites have been told to update Perfsonar due to a
more serious vulnerability since this vulnerability was fixed.
Credit
======
This vulnerability was reported by Simon Fayer from Imperial College.
References
==========
[R 1] https://twiki.cern.ch/twiki/bin/view/LCG/PerfsonarDeployment
[R 2] https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7162
[R 3] http://psps.perfsonar.net/toolkit/releasenotes/pspt-3_3_2rc3.html
Timeline
========
Yyyy-mm-dd
2013-09-12 Vulnerability reported by Simon Fayer
2013-09-12 Acknowledgement from the EGI SVG to the reporter
2013-10-01 Software providers contacted and responded and involved in investigation
2013-10-10 Assessment by the EGI Software Vulnerability Group reported to the software
providers
2013-12-09 Updated packages available at the perfSONAR site
2014-07-17 Advisory sent for more serious vulnerability
2014-08-05 Public disclosure