SVG:Advisory-SVG-2015-9495

From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Advisory-SVG-2015-9495



** WHITE information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

EGI SVG ADVISORY [EGI-SVG-2015-9495] 

Title:       **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

Date:        2015-09-22  
Updated:     2015-09-30, 2015-10-26



URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9495


Introduction
============

dCache [R 1] is a data storage and retrieval system.  

A vulnerability has been found in the dCache SRM server module by the dCache team, who also alerted SVG to this problem.  

A fixed binary version is available on the dCache site [R 2].

**UPDATE** 

A fixed version is now available in the EGI UMD.  



Details
=======

See the dCache page. [R 1]


Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team.  


Affected software
=================


All dCache versions prior to this patch are affected. 

The releases which fix this issue are are: 

2.13.9
2.12.21
2.11.32
2.10.41
2.6.52


It was noted by the dCache team that several site still run the unsupported 2.6 dCache.  
Given these sites currently suffer from a High risk vulnerability, dCache  have made an 
additional release: 2.6.52


Mitigation
==========

N/A.


Component installation information
==================================


Updates are available on the dCache site [R 2]

Release notes are available at the dCache site.

https://www.dcache.org/downloads/1.9/release-notes-2.13.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.12.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.11.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml
https://www.dcache.org/downloads/1.9/unsupported/release-notes-2.6.shtml


The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD).
 

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/

**UPDATE**

UMD 3.13.4 has been released and contains the fix for this issue at: 

http://repository.egi.eu/2015/09/29/release-umd-3-13-4/ 


Other Information
==================


**Original statement**

To give sites time to upgrade their dCache, the dCache team will not release any details of the 
vulnerability at this time.  This includes not making  public the source-code for the fix for a 
'grace period' of two weeks, as doing so would also reveal information on the vulnerability.

During this two week grace period, dCache will make no further releases.

Once the grace-period elapses, all code changes will be pushed into github and dCache will continue 
normal bug-fix release cycles.

**UPDATE**

A fixed version is now available in the EGI UMD

**UPDATE 2015-10-26 **

The advisory is public, the fix has been in the UMD for over 3 weeks, so info on details of the 
vulnerability may become public. 


Recommendations
===============

Sites are recommended to update the SRM head node component as soon as possible if they have not done so already. 


Credit
======

This vulnerability was discovered by Gerd Behrmann (NDGF) from the dCache team. 


References
==========


[R 1] https://www.dcache.org/

[R 2] https://www.dcache.org/downloads/1.9/




Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the dCache team reported to SVG by Patrick Fuhrmann.  
2015-09-15 Acknowledgement from the EGI SVG to the reporter
2015-09-18 Assessment by the EGI Software Vulnerability Group reported to the software providers.
2015-09-22 Updated packages available on the dCache site. 
2015-09-29 Updated packages available in EGI UMD 3
2015-09-30 Updated advisory sent to sites
2015-10-26 Advisory placed on public wiki