Title: EGI SVG Advisory [TLP:White] 'Low' risk STORM WebDAV interface XXE
vulnerability [EGI-SVG-2015-10134]
Date: 2016-06-20
Updated:
Affected Software and Risk
==========================
LOW risk XXE vulnerability concerning STORM WebDAV interface
Package : STORM
Actions Required/Recommended
============================
Sites are recommended to update relevant components in due course.
Affected software Details.
==========================
STORM versions prior to 1.11.10
This is fixed in Version 1.11.10
More information
================
WebDAV is a protocol, based on HTTP, that makes use of XML as a
machine-readable format. The XML External Entity (XXE) processing feature of
XML make services that use it, like WebDAV, potentially vulnerable to attacks.
An XXE problem was identified with the Milton library. STORM uses this library
to process WebDAV requests.
More information on the XML External Entity Vulnerability is available at [R 1]
Mitigation
==========
N/A
Component installation information
==================================
The official repository for the distribution of grid middleware for EGI sites
is repository.egi.eu which contains the EGI Unified Middleware Distribution
(UMD).
Sites using the EGI UMD 4 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-4/
STORM version 1.11.11 has been placed in the EGI UMD-4
http://repository.egi.eu/2016/05/27/release-umd-4-1-0/
Sites using the EGI UMD 3 should see:
http://repository.egi.eu/category/umd_releases/distribution/umd-3/
STORM version 1.11.11 has been placed in EGI UMD 3.14.2
This may also be upgraded from the StoRM website, - see
http://italiangrid.github.io/storm/2016/01/22/storm-v1.11.10-released.html
TLP and URL
===========
** WHITE information - Unlimited distribution **
** see https://go.egi.eu/tlp for distribution restrictions**
URL: https://advisories.egi.eu/2015/Advisory-SVG-2015-10134
Minor updates may be made without re-distribution to the sites
Credit
======
Andrea Manzi noted that STORM is affected by this vulnerability
References
==========
[R 1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Comments
========
Comments or questions should be sent to svg-rat at mailman.egi.eu
If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to
report-vulnerability at egi.eu
the EGI Software Vulnerability Group will take a look.
Timeline
========
Yyyy-mm-dd [EGI-SVG-2015-10134]
2015-12-01 Andrea Manzi noted that STORM is affected by this vulnerability
2015-12-10 EGI SVG Risk Assessment completed
2015-12-10 Assessment by the EGI Software Vulnerability Group reported to the
software providers
2016-01-22 Vulnerability fixed by the STORM developers
2016-06-08 Updated packages available in the EGI UMD 4
2016-06-16 Updated packages available in the EGI UMD 3
2016-06-20 Advisory/Alert sent to sites
2016-06-20 Public disclosure
On behalf of the EGI SVG,