Документ взят из кэша поисковой машины. Адрес оригинального документа : http://theory.sinp.msu.ru/pipermail/ru-ngi/2015q3/001631.html
Дата изменения: Wed Sep 23 09:11:09 2015
Дата индексирования: Sun Apr 10 18:26:50 2016
Кодировка:
[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

[RU-NGI] Fwd: [Noc-managers] EGI SVG Advisory 'High' RISK - Vulnerability in the dCache SRM server module [EGI-SVG-2015-9495]

Alexander Kryukov kryukov at theory.sinp.msu.ru
Wed Sep 23 08:25:04 MSK 2015 

FYI


-------- Forwarded Message --------
Subject: [Noc-managers] EGI SVG Advisory 'High' RISK - Vulnerability in 
the dCache SRM server module [EGI-SVG-2015-9495]
Date: Tue, 22 Sep 2015 13:15:25 +0000
From: linda.cornwall at stfc.ac.uk
To: site-security-contacts at mailman.egi.eu, 
ngi-security-contacts at mailman.egi.eu, csirt at mailman.egi.eu, 
noc-managers at mailman.egi.eu
CC: svg-rat at mailman.egi.eu

** AMBER information - Limited distribution 
     **

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution 
restrictions **

EGI SVG ADVISORY [EGI-SVG-2015-9495]

Title:       EGI SVG Advisory 'High' RISK - Vulnerability in the dCache 
SRM server module [EGI-SVG-2015-9495]

Date:        2015-09-22
Updated:

This advisory will be placed on the wiki after the patch has been 
available in all distributions for at least 2 weeks.

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-9495


Introduction
============

dCache [R 1] is a data storage and retrieval system.

A vulnerability has been found in the dCache SRM server module by the 
dCache team, who also alerted SVG to this problem.

A fixed binary version is available on the dCache site [R 2].

A fixed version is not yet available in the EGI UMD.


Details
=======

See the dCache page. [R 1]


Risk category
=============

This issue has been assessed as 'High' risk by the EGI SVG Risk 
Assessment Team.

Affected software
=================

All dCache versions prior to this patch are affected.

The releases which fix this issue are are:

2.13.9
2.12.21
2.11.32
2.10.41
2.6.52

It was noted by the dCache team that several site still run the 
unsupported 2.6 dCache.  Given these sites currently suffer from a High 
risk vulnerability, dCache have made an additional release: 2.6.52


Mitigation
==========

N/A.


Component installation information
==================================

Updates are available on the dCache site [R 2]

Note that at present the patch is only available from the dCache site.

Release notes are available at

https://www.dcache.org/downloads/1.9/release-notes-2.13.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.12.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.11.shtml
https://www.dcache.org/downloads/1.9/release-notes-2.10.shtml
https://www.dcache.org/downloads/1.9/unsupported/release-notes-2.6.shtml


The official repository for the distribution of grid middleware for EGI 
sites is
repository.egi.eu which contains the EGI Unified Middleware Distribution 
(UMD).

Sites using the EGI UMD 3 should see:

http://repository.egi.eu/category/umd_releases/distribution/umd-3/


Other Information
==================

To give sites time to upgrade their dCache, the dCache team will not 
release any details of the vulnerability at this time.  This includes 
not making public the source-code for the fix for a 'grace period' of 
two weeks, as doing so would also reveal information on the vulnerability.

During this two week grace period, dCache will make no further releases.

Once the grace-period elapses, all code changes will be pushed into 
github and dCache will continue normal bug-fix release cycles.

The SVG hopes that this software can be made available in the UMD before 
dCache reveals the change to the source code.


Recommendations
===============

Sites are recommended to update the SRM head node component as soon as 
possible.

Sites installing from the EGI UMD may wait until the patch is available 
in the EGI UMD if they wish.


Credit
======

This vulnerability was discovered by Gerd Behrmann (NDGF) from the 
dCache team.


References
==========


[R 1] https://www.dcache.org/

[R 2] https://www.dcache.org/downloads/1.9/


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so 
suggestions and comments are welcome.


Timeline
========
Yyyy-mm-dd

2015-09-15 Vulnerability discovered by Gerd Behrmann (NDGF) from the 
dCache team reported to SVG by Patrick Fuhrmann.
2015-09-15 Acknowledgement from the EGI SVG to the reporter
2015-09-18 Assessment by the EGI Software Vulnerability Group reported 
to the software providers
2015-09-22 Updated packages available on the dCache site.


On behalf of the EGI SVG,

------------------------------------------------------------------
Dr Linda Cornwall,
Particle Physics Department,
STFC Rutherford Appleton Laboratory,
Harwell Oxford,
DIDCOT,
OX11 OQX,
United Kingdom

E-mail  Linda.Cornwall at stfc.ac.uk
Tel.    +44 (0) 1235 44 6138
Skype   linda.ann.cornwall


_______________________________________________
Noc-managers mailing list
Noc-managers at mailman.egi.eu
https://mailman.egi.eu/mailman/listinfo/noc-managers

-- 
A.Kryukov, PhD
Head of laboratory, SINP MSU
Phone: +7 495 939-3156

More information about the RU-NGI mailing list