EGI SVG Advisories

========================================================================
                             EGEE Operational Security Coordination Team

Topic:   High-risk vulnerabilities in CREAM CE software
Date:    October 20th 2009
URL:     http://cern.ch/osct/alerts/cream-20-10-2009.txt


Background
----------

The CREAM (Computing Resource Execution And Management) service is a
gLite service for job management at the Computing Element (CE) level.


Vulnerabilities description
---------------------------

GSVG was recently disclosed (see [1] and [2]) two vulnerabilities that
were found in the CREAM CE implementation.

First vulnerability (#55551, [1]) was found in the configuration of the
CREAM CE and it allows a database password to be obtained by users that
are authorized to interact with the CREAM instance, e.g. for submitting
jobs.

Second vulnerability (#55552, [2]) in CREAM CE allows root privileges to
be obtained by remote users that are authorized to interact with the
CREAM instance, e.g. for submitting jobs.  The exploit is very unlikely
to have been used.

Both issues were fixed in the CREAM CE 3.1.20.


Vulnerability impact
--------------------

Any user who is authorized to access the CREAM CE instance could
retrieve database password and gain root privileges on the machine
running CREAM CE service.


OSCT recommendations
--------------------

OSCT recommends all sites to urgently upgrade all CREAM CE instances to
glite-CREAM 3.1.20 (found in glite 3.1 update 56) or higher.


References
----------

[1] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55551.txt
[2] http://www.gridpp.ac.uk/gsvg/advisories/advisory-55552.txt
========================================================================