Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


Title:       EGI SVG Advisory [TLP:WHITE] 'Low' Risk - Dirac Pilot factory payload verification

Date:        2016-05-25 

Affected Software and Risk

'Low' risk vulnerability concerning DIRAC Pilot factory payload verification

Actions Required/Recommended

No action is recommended - this is for information only 


A vulnerability has been found where Dirac does not carry out any verification of software tarballs. 

Since then Dirac has been migrating to use software installation from the CVMFS repository, which is 
considered to be an acceptable means of installation across the project. 

Affected Software

DIRAC software installed via means other than via CVMFS.  

The DIRAC software is installed by pilots from CVMFS on the worker nodes where CVMFS is available
starting from version v6r15 

More information

DIRAC download their jobwrapper code tarballs over HTTP with no suitable verification that it 
hasn't been tampered with (and then execute the contained code).
In principle this opens the door to DNS and MITM attacks, which are unlikely in our environment. 

The move to installation via CVMFS is a satisfactory solution. 

Risk category

This issue has been assessed as 'Low' Risk by the EGI SVG Risk Assessment Team. 

Affected software

Dirac software installed via means other than via CVMFS. 


Installation via CVMFS. 

Component installation information

See [R 1] 


No action is recommended. Sites are simply being informed that this 'Low' risk vulnerability exists 
if the DIRAC software is installed other than via CVMFS. 


** WHITE information - Unlimited distribution                               **  
** see for distribution restrictions **


Minor updates may be made without re-distribution to the sites


This vulnerability was reported by Simon Fayer from Imperial College, London, who is also a member of SVG. 


[R 1]


2014-09-16 Vulnerability reported by Simon Fayer from Imperial College 
2014-09-16 Software providers responded and involved in investigation
2014-11-07 Assessment by the EGI Software Vulnerability Group reported to the software providers
2015-08-13 Informed that DIRAC migrating to CVMFS for most of it's software installation.
2016-05-25 Advisory sent to sites
2016-05-25 Advisory placed on public wiki

On behalf of the EGI SVG,