|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||RAT/Membership||Documents||Assessment||Secure Coding||Info for SVG members|
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-2014-8580] Title: EGI SVG Advisory 'High' Risk - Dirac does not check CRLs [EGI-SVG-2015-8585] Date: 2015-09-29 Updated: 2015-10-13 URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-8580 Introduction ============ A vulnerability has been found where Dirac does not check Certificate Revocation Lists (CRLs) when making its SSL connections. This has been fixed in the current production version of Dirac. Details ======= In the worst case scenario this may allow a user or someone with a stolen certificate to submit jobs even after the certificate has been revoked in cases where gLexec is not being used. Risk category ============= This issue has been assessed as 'High' Risk by the EGI SVG Risk Assessment Team. Affected software ================= Dirac versions prior to v6r14 This vulnerability is fixed in Dirac v6r14 Mitigation ========== N/A Component installation information ================================== See [R 1] Recommendations =============== Sites are recommended to update relevant components as soon as possible. Credit ====== This vulnerability was reported by Simon Fayer from Imperial College, London. References ========== [R 1] https://github.com/DIRACGrid/DIRAC/wiki Timeline ======== Yyyy-mm-dd 2015-05-05 Vulnerability reported by Simon Fayer from SVG 2015-05-05 Software providers responded and involved in investigation 2015-05-12 Assessment by the EGI Software Vulnerability Group reported to the software providers 2015-09-28 Updated packages available 2015-09-29 Advisory sent to sites 2015-10-13 Advisory placed on wiki.