Grid Security Vulnerability Group - Advisory

-- Topic:          Java Trustmanager not checking host name in host certificate
-- Date:           2010-07-20
-- ID:	           Grid Vulnerability Savannah bug #10278

-- Background

The gLite Java Trustmanager is used for grid certificate handling in the Java
environment of some gLite services.

-- Vulnerability Details

The Java trust manager does not check that the DN in a host certificate matches
the host name.
Hence a stolen host certificate which includes the private host key can be used to 
authenticate any host.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk.


-- Affected software and components

Only the glite-UI, glite-VOBOX and glite-WN are affected, because they act as
clients of services for which they should verify the certificates.
The gLite Trustmanager is also used by other node types.

The problem is fixed in glite-security-trustmanager >= 2.5.5-1.


-- Other information

This is a well known issue, and was originally handled by the pre EGEE-II issue
handling process and site security contacts were informed.
It has also been documented in the 'open issues' document.

Note that not all components dependent on the Java trustmanager have been
rebuilt since the improved version has been available.
Components/node types pick it up as they are released.


-- Disclosure Timeline
Yyyy-mm-dd

2005-08-16 Vulnerability reported
2005-11-21 Site security contacts informed according to the pre EGEE-II issue
           handling process
2010-06-09 Updated java-trustmanager available
2010-07-20 Public disclosure

-- References
 If applicable
==========================================================================