EGI SVG Advisories

Advisory-SVG-2014-6884

** WHITE information - Unlimited distribution allowed                       **
** see https://go.egi.eu/tlp for distribution restrictions **


EGI SVG  ADVISORY [EGI-SVG-2014-6884]

Title:   EGI SVG Advisory 'CRITICAL' RISK - WN and UI tarballs in the EMI
         repository contain a version of OpenSSL vulnerable to CVE-2014-016
         [SVG EGI-SVG-2014-6884]

Date:    2014-04-10
Updated:


URL:         https://advisories.egi.eu/2014/Advisory-SVG-2014-6884

Introduction
============

EGI CSIRT has already issued an alert concerning CVE-2014-0160 for the OpenSSL
Heartbleed vulnerability [R 1] on 8th April 2014 with updates on 9th April
2014.

This advisory concerns a specific occurance of the vulnerable version of
OpenSSL in the EMI-3 repository.

It is only relevant to sites who install the EMI WN or the UI from tarballs
provided in the EMI repository.

It is also only relevant to sites who include the 'os-extras' along with the WN
and/or glite UI tarball.


Details
=======

EGI CSIRT has already issued an alert concerning CVE-2014-0160 for the OpenSSL
Heartbleed vulnerability [R 1] on 8th April 2014 with updates on 9th April
2014.

A vulnerable version of OpenSSL has since been found in the EMI repository.

This has been replaced by a non-vulnerable version.

Sites which use the WN and/or UI tarballs present in the EMI respository may
have a vulnerable version on their systems downloaded from the EMI repository.

This separate advisory is considered necessary to inform sites that a
vulnerable version of OpenSSL WAS in  the EMI repository, but has been replaced
by a non-vulnerable version.

Whether sites get their OpenSSL from the EMI repository or elsewhere they need
to ensure they are not running a vulnerable version.


Risk category
=============

This issue has been assessed as 'Critical' risk by the EGI CSIRT and EGI SVG
Risk Assessment Team. This has been previously reported.


Affected software
=================

Tarballs for the gLite WN and UI available in the EMI repository for SL6.

The vulnerable version of OpenSSL was found in:--

emi-wn-3.7.1-1_v2.sl6 and
emi-ui-3.7.1-1_v2.sl6

This is fixed in version:--

emi-wn-3.7.3-1_v1.sl6 and
emi-ui-3.7.3-1_v1.sl6

Earlier versions may also be vulnerable.

Note that SL5 versions are not affected.


Mitigation
==========

N/A.


Component installation information
==================================

The fixed versions are as follows:


Sl6 WN:
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-wn/emi-wn-3.7.3-1_v1.sl6.tgz
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-wn/emi-wn-3.7.3-1_v1.sl6.os-extras.tgz


SL6 UI:
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-ui/emi-ui-3.7.3-1_v1.sl6.tgz
http://repository.egi.eu/mirrors/EMI/tarball/test/sl6/emi3-emi-ui/emi-ui-3.7.3-1_v1.sl6.os-extras.tgz

Only sites that use the "os-extras" from this repository will have the
vulnerable OpenSSL downloaded from the EMI repository in their tarball area
from this source.
Others will need to upgrade OpenSSL if they have not done so anyway.


For further information see the Tarball wiki page [R 2]


You may also contact the Tarball support list tarball-grid-support@cern.ch
if you have any questions.



Recommendations
===============

All running resources MUST be either patched or otherwise temporarily removed
from service as soon as possible, and at the latest by by 2014-04-15
T21:00+01:00.
Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.

This is considered to be part of the same campaign to eliminate CVE-2014-0160
as described in [R 1].


Credit
======

SVG alerted to the vulnerable version of OpenSSL being present in the EMI
repository by Matt Doidge, who also resolved this.


References
==========

[R 1] https://advisories.egi.eu/CSIRT_Alerts/OpenSSL-2014-04-08

[R 2] https://www.sysadmin.hep.ac.uk/wiki/EMI3Tarball#Downloading


Timeline
========
Yyyy-mm-dd

2014-04-09 SVG alerted to this problem by Matt Doidge.
2014-04-09 Acknowledgement from the EGI SVG to the reporter
2014-04-09 It was decided as it concerns middleware SVG should issue a
            separate advisory to the general one concerning OpenSSL.
2014-04-10 Software providers (also Matt Doidge) provided a new version.
2014-04-10 Advisory issued
2014-04-10 Public disclosure