** WHITE information - Unlimited distribution allowed **
** see https://go.egi.eu/tlp for distribution restrictions **
EGI SVG ADVISORY [EGI-SVG-2011-3235]
Title: BDII Predictable passwords
Date: 2012-04-02
Updated:
URL: https://advisories.egi.eu/2011/Advisory-SVG-2011-3235
Introduction
============
It has been found that the BDII [R1] password is predictable when installing
the EMI top level BDII.
This has now been resolved.
Details
=======
A previous vulnerability in BDII was found for which the EGI issued an advisory
at [R 2] and it was stated that it only applied to gLite 3.2
However, this was found to also partially apply to the EMI version of BDII.
The BDII password is predictable and not changed to a random value.
This has now been resolved in EMI and in the EGI UMD.
Risk Category
=============
This issue was not individually assessed as it was a partial failure to resolve
issue described at https://advisories.egi.eu/2011/Advisory-SVG-2011-1414
Affected Software
=================
This vulnerability was found in BDII 5.2.5-2
The problem is fixed in BDII 5.2.7 released as part of EMI-1 Update 13 and is
available in UMD 1.6.0
Mitigation
==========
No Mitigation is recommended.
Component Installation information
==================================
Release UMD-1.6.0
http://repository.egi.eu/2012/04/02/release-umd-1-6-0/
The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).
http://repository.egi.eu/category/umd_releases/distribution/umd_1
Recommendations
===============
Sites are recommended to update relevant components.
Credit
======
This vulnerability was reported by Lukasz Flis
References
==========
[R 1] https://twiki.cern.ch/twiki/bin/view/EGEE/BDII
[R 2] https://advisories.egi.eu/2011/Advisory-SVG-2011-1414
[R 3] http://repository.egi.eu/category/umd_releases/distribution/umd_1/
[R 4] http://www.eu-emi.eu/emi-1-kebnekaise
[R 5] http://repository.egi.eu/2012/04/02/release-umd-1-6-0/
Timeline
========
Yyyy-mm-dd
2011-11-30 Possible Vulnerability discussed in e-mail by Lukasz Flis
2011-12-08 Vulnerability entered into SVG issue handling process and
investigation under way
2011-12-09 Software providers responded and involved in investigation
2012-01-10 Established that there is definitely a problem
2012-04-04 Updated packages available EGI UMD
2012-04-04 Public disclosure