Update Advisory-EGI-SVG-2024-15.md

EGI-Federation · Sep 11, 2024 · 1cbc15e · 1cbc15e
1 parent 2efbdb6
commit 1cbc15e
Showing 1 changed file with 99 additions and 0 deletions.
diff --git a/2024/Advisory-EGI-SVG-2024-15.md b/2024/Advisory-EGI-SVG-2024-15.md
@@ -93,6 +93,105 @@ Vulnerabilities relevant for EGI can be reported at
 
 - [R 3] <https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/voms-rpm-stable/redhat8/>
 
+Date:        2024-07-31
+Updated:
+
+HIGH risk vulnerability concerning the Java version of voms-proxy-init.
+During the proxy generation process it is possible for unauthorized
+users on the same machine to gain read access to the proxy. 
+This allows the user to then perform any action that is possible with 
+the original proxy.
+
+## IDs AND CVSS SCORE 
+
+EGI SVG ID : EGI-SVG-2024-15
+
+CVE ID     : N/A
+
+CVSS Score : N/A 
+
+## AFFECTED SOFTWARE AND VERSIONS
+
+The vulnerability was identified in the VOMS Java API (voms-api-java)
+v. 3.3.2 and is present in the VOMS Java Clients (voms-clients-java)
+v. 3.3.2. Earlier versions may be affected.
+
+The vulnerability is fixed in voms-api-java v. 3.3.3 and in
+voms-clients-java v. 3.3.3.
+
+
+## ACTIONS REQUIRED/RECOMMENDED
+
+Sites are recommended to update voms-api-java and voms-clients-java to
+version 3.3.3 as soon as possible using information in the references 
+below.
+
+
+## COMPONENT INSTALLATION INFORMATION
+
+At present, the new version of voms-api-java and voms-clients-java 
+are released for EL 9, EL 8 and Centos 7 at [R 2], [R 3] and [R 4].
+The rpms are also available from the WLCG repository [R 5].
+
+
+## MORE INFORMATION
+
+This has been assessed as 'HIGH' risk as it allows impersonation of 
+another user.
+
+Some other software is also dependent on the VOMS Java API, but to
+our knowledge, none creates new proxies and therefore none should be 
+affected by the vulnerability in question.
+
+## STATUS OF THIS ADVISORY
+                         
+_TLP:AMBER information - Limited distribution_ 
+
+This advisory will be made public on or after 2024-08-28 at:--
+
+https://advisories.egi.eu/Advisory-EGI-SVG-2024-15 
+
+Minor updates may be made without re-distribution to the sites.
+
+
+## CONTACT AND OTHER INFORMATION ON SVG
+
+-----------------------------
+    Others may re-use this information provided they:-
+
+    1) Respect the provided TLP classification
+
+    2) Credit the EGI (https://www.egi.eu/) Software Vulnerability Group
+-----------------------------
+
+Comments or questions should be sent to
+	svg-rat at mailman.egi.eu
+
+Vulnerabilities relevant for EGI can be reported at
+	report-vulnerability at egi.eu
+
+(see [R 99] for further details, and other information on SVG)
+
+
+## REFERENCES
+
+- [R 1] <https://italiangrid.github.io/voms/>
+
+- [R 2] <https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/voms-rpm-stable/redhat9/>
+
+- [R 3] <https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/voms-rpm-stable/redhat8/>
+
+- [R 4] <https://repo.cloud.cnaf.infn.it/service/rest/repository/browse/voms-rpm-stable/centos7/>
+
+- [R 5] <https://linuxsoft.cern.ch/wlcg/>
+
+- [R 99] <https://confluence.egi.eu/display/EGIBG/SVG+Advisories>
+
+## CREDITS
+
+This vulnerability was reported by Christophe Haen
+
+
 
 - [R 5] <https://linuxsoft.cern.ch/wlcg/>