[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-announce] GT3.9.x and GT4 MDS4 Index and Trigger Service Vulnerability

To: security-announce@globus.org
Subject: [security-announce] GT3.9.x and GT4 MDS4 Index and Trigger Service Vulnerability
From: Lisa C Childers <childers@mcs.anl.gov>
Date: Thu, 19 May 2005 08:49:50 -0500 (CDT)
Delivered-to: glbs-security-announce-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: glbs-security-announce@mailbouncer.mcs.anl.gov
Sender: owner-security-announce@globus.org

Globus Project(tm) Security Advisory 2005-02:  MDS4 Index and Trigger
Service Vulnerability


Original issue date: May 17, 2005
Last revised: None

Software effected:

Globus Toolkit, releases 3.9.x and 4.0.0

Specific package: WS MDS

Overview

The WS MDS Index and Trigger services contain vulnerabilities that can be
exploited by remote users to run programs on the server.  The WS MDS Index
and Trigger services are deployed by default in GT 3.9.x and 4.0.0
installations, so we recommend that everyone running these versions of the
toolkit apply the patch referred to below.

I. Description

The WS MDS Index and Trigger services gather data through the use of
several modules which collect and format data which will then be used by
the MDS services.  One of these modules, the Aggregator Execution
Source, runs a script to collect data: system administrators make scripts
available for use by putting those scripts in the directory
$GLOBUS_LOCATION/libexec/aggrexec; users can then specify which of
those scripts to run.  However, because of a coding error, a malicious
user can specify a script located anywhere on the server, not just in the
administrator-controlled $GLOBUS_LOCATION/libexec/aggrexec directory.

The WS MDS Trigger service executes scripts when certain conditions are
met.  Administrators make scripts available for use by putting those
scripts in the $GLOBUS_LOCATION/libexec/trigger directory; users
can then specify which of those scripts to run under what conditions.
Because of a coding error, a malicious user can specify a script located
anywhere on the server, not just in the administrator-controlled
$GLOBUS_LOCATION/libexec/trigger directory.

II. Impact

The bug allows malicious users to run programs on the server as the globus
user.

III. Solution

An update package with a fix for Globus Toolkit (R) 4.0.0 is available at:

http://www-unix.globus.org/toolkit/advisories.html

This update changes the mechanism by which scripts are made available by
administrators.  In the new mechanism, administrators who wish to make
scripts available for execution by the Index or Trigger service must
assign each script a logical name, and enter a mapping from the script's
logical name to physical location in the (Index or Trigger) service's
jndi-config.xml.  Users now specify these logical names instead of the
script file names; if no mapping exists for a logical name, a warning is
logged and nothing is executed.  A similar mapping is used for scripts
executed by the Trigger service.

We recommend that people running 4.0.0 apply this patch and that people
running 3.9.x upgrade to 4.0.0 and apply the patch.

Prev by Date: [security-announce] GT3.2 MDS3 Index Service Vulnerability
Previous by thread: [security-announce] GT3.2 MDS3 Index Service Vulnerability
Index(es):
- Date
- Thread