SVG:Advisory-SVG-2014-7159

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2014-7159



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-2014-7159] 

Title:       EGI SVG Advisory 'Low' RISK - VOMs Potential DoS  [EGI-SVG-2014-7159]

Date:        2015-08-18 
Updated:     

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2014-7159

Introduction
============

A vulnerability has been found which allows a possible DoS attack on the VOMS server.

This has been fixed by the VOMS team and the fixed version has been released in the EGI UMD.

Note that this was fixed in Feb 2015, but the advisory was missed. 


Details
=======

An error was introduced in VOMS 2.0.11 where there was an attempt to limit the number of concurrent 
connections to the VOMS server. However, this was handled incorrectly and it is possible that a DoS 
attack could take place.  
This is also an operational problem, as the mis-handling means it may not be possible to connect to a 
VOMS server when no attempt at a malicious DoS attack is being made. 


Risk category
=============

This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team 

Affected software
=================

This has been fixed in VOMS 2.0.12-1 which was released in UMD 3.11.0 in Feb 2015 

VOMs Server version voms-2.0.11-1 has been shown to be vulnerable, and it's thought that 
only 2.0.11 is vulnerable.
 

Mitigation
==========

N/A

Component installation information
==================================

The official repository for the distribution of grid middleware for EGI sites is repository.egi.eu 
which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/


Sites who wish to install directly from the EMI release should see: 

http://www.eu-emi.eu/releases/emi-3-monte-bianco/updates/



Recommendations
===============

Sites are recommended to update relevant components in due course.


Credit
======

This vulnerability was reported by Robert Frank from the University of Manchester.


Timeline  
========
Yyyy-mm-dd

2014-06-17 Vulnerability reported by Robert Frank 
2014       Acknowledgement from the EGI SVG to the reporter
2014-06-17 Software providers responded and involved in investigation
2014-06-18 Assessment by the EGI Software Vulnerability Group reported to the software providers
2014-06-18 Found it has already been fixed by the VOMS development team, it was
           considered a more serious operational issue
2014-11-10 Update in EMI repository
2015-02-16 Updated packages available in the EGI UMD
2015-08-17 Noticed that the advisory for this issue had been missed
2015-08-18 Advisory sent to sites
2015-08-18 Public disclosure