EGI SVG Advisories

EGI SVG advisories

All advisories which are disclosed publicly by EGI Software Vulnerability Group (SVG) are placed on this site.

All advisories which are disclosed publicly by SVG are subject to the Creative commons licence CC-BY 4.0. including crediting the EGI SVG.

A guide to the risk categories is available at Notes On Risk

SVG also provides information that may be useful to various sites concerning the various SVG Speculative execution vulnerabilities

Current advisories

Date Title Contents/Link Risk Status
2022-02-21 Updated 2022-08-02 xcache image vulnerability and image purge Advisory-SVG-2022-17581 ALERT Fixed
2022-02-18 Updated 2022-07-28 Privilege escalation vulnerabilities in VMWare CVE-2021-22040, CVE-2021-11041 Advisory-SVG-CVE-2021-22040 ALERT Fixed
2019-01-10 updated 2019-01-15, 2019-05-14, 2022-07-28 systemd-journald vulnerabilities Advisory-SVG-2019-15258 CRITICAL Fixed
2022-05-05 Vulnerability in SLURM’s authentication handling - CVE-2022-29500, CVE-2022-29501, CVE-2022-29502 Advisory-SVG-CVE-2022-29500 CRITICAL Fixed
2022-04-26 Vulnerability in Java 15 and later - CVE-2022-21449 Advisory-SVG-CVE-2022-21449 CRITICAL Fixed
2022-04-13 Linux Kernel vulnerabilities - CVE-2021-4028, CVE-2021-4083 Advisory-SVG-CVE-2021-4028 HIGH Fixed
2022-03-31 Vulnerabilities concerning expat XML parser CVE-2022-25235, CVE-2022-25236 Advisory-SVG-CVE-2022-25235 CRITICAL Fixed
2022-03-09, updated 2022-03-15 Linux kernel dirtypipe vulnerability - CVE-2022-0847 Advisory-SVG-CVE-2022-0847 CRITICAL Fixed
2022-03-22 DOS Vulnerability in OpenSSL - CVE-2022-0778 Advisory-SVG-CVE-2022-0778 INFORMATION Fixed
2022-03-17 HTCondor Security Release: 8.8.16, 9.0.10, and 9.6.0 Advisory-SVG-CVE-2021-45103   Fixed
2022-03-16 Updated 2022-07-28 Privilege escalation vulnerability in the linux kernel 5.4 - RHEL 8 and derivatives Advisory-SVG-CVE-2022-25636 CRITICAL Fixed
2022-01-28 log4j version 1.2 chainsaw vulnerability - limited exposure in EGI - CVE-2022-23307 Advisory-SVG-CVE-2022-23307 CRITICAL Fixed
2022-01-26, updated 2022-01-26 Local privilege escalation vulnerability on polkit’s pkexec utility - CVE-2021-4034 Advisory-SVG-CVE-2021-4034 CRITICAL Fixed
2022-01-25 Heap buffer overflow vulnerability in linux kernel RHEL 8 and derivatives - CVE-2022-0185 Advisory-SVG-CVE-2022-0185 CRITICAL Fixed
2021-12-10, updated 2021-12-15, 2022-01-07 Log4j RCE vulnerability - CVE-2021-44228 Advisory-SVG-CVE-2021-44228 CRITICAL Fixed
2021-12-07 Version of golang used by Sinularity CVE-2021-44717 Advisory-SVG-CVE-2021-44717 MODERATE Fixed
2021-11-03 Kubernetes NGinx Ingress Controller Vulnerability CVE-2021-25742 Advisory-SVG-CVE-2021-25742 HIGH Fixed
2021-11-01 httpd mod_proxy vulnerability CVE-2021-40438 Advisory-SVG-CVE-2021-40438 HIGH Fixed

EGI SVG produces advisories according to the SEC02 EGI Software Vulnerability Issue Handling.

Note that SVG is currently working on how to better cope with reducing homogeneity of the infrastructure and handle vulnerabilities related to the EOSC services.

Earlier advisories

In the past (up to the end of 2015) CSIRT also issued general alerts at EGI CSIRT Alerts and EGI SVG advisories primarily concerned gLite Middleware.

Publishing an advisory

See Publishing an Advisory