From EGIWiki
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       **UPDATE*** EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

Date:        2015-09-22  
Updated:     2015-09-30, 2015-10-26



dCache [R 1] is a data storage and retrieval system.  

A vulnerability has been found in the dCache SRM server module by the dCache team, who also alerted SVG to this problem.  

A fixed binary version is available on the dCache site [R 2].


A fixed version is now available in the EGI UMD.  


See the dCache page. [R 1]

Risk category

This issue has been assessed as 'High' risk by the EGI SVG Risk Assessment Team.  

Affected software

All dCache versions prior to this patch are affected. 

The releases which fix this issue are are: 


It was noted by the dCache team that several site still run the unsupported 2.6 dCache.  
Given these sites currently suffer from a High risk vulnerability, dCache  have made an 
additional release: 2.6.52



Component installation information

Updates are available on the dCache site [R 2]

Release notes are available at the dCache site.

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).

Sites using the EGI UMD 3 should see:


UMD 3.13.4 has been released and contains the fix for this issue at: 

Other Information

**Original statement**

To give sites time to upgrade their dCache, the dCache team will not release any details of the 
vulnerability at this time.  This includes not making  public the source-code for the fix for a 
'grace period' of two weeks, as doing so would also reveal information on the vulnerability.

During this two week grace period, dCache will make no further releases.

Once the grace-period elapses, all code changes will be pushed into github and dCache will continue 
normal bug-fix release cycles.


A fixed version is now available in the EGI UMD

**UPDATE 2015-10-26 **

The advisory is public, the fix has been in the UMD for over 3 weeks, so info on details of the 
vulnerability may become public. 


Sites are recommended to update the SRM head node component as soon as possible if they have not done so already. 


This vulnerability was discovered by Gerd Behrmann (NDGF) from the dCache team. 


[R 1]

[R 2]


Comments or questions should be sent to svg-rat  at

We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. 


2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the dCache team reported to SVG by Patrick Fuhrmann.  
2015-09-15 Acknowledgement from the EGI SVG to the reporter
2015-09-18 Assessment by the EGI Software Vulnerability Group reported to the software providers.
2015-09-22 Updated packages available on the dCache site. 
2015-09-29 Updated packages available in EGI UMD 3
2015-09-30 Updated advisory sent to sites
2015-10-26 Advisory placed on public wiki