Grid Security Vulnerability Group - Advisory -- Topic: Job information published openly in R-GMA -- Date: 2008-04-08, updated 2010-03-08 -- ID: Grid Vulnerability Savannah bug #11330 -- Background R-GMA stands for the Relational Grid Monitoring Architecture and it provides the framework for the the operations of the distributed monitoring database. -- Vulnerability Details Job information is published openly in R-GMA, which for some users and applications this is a confidentiality concern. This is well known. Such information may also be useful for other types of attack. This is due to their being no Authorization in the versions of R-GMA distributed as part of gLite. This means that any authenticated user can view or publish any information they choose. This is a matter of missing functionality, which is well known by those installing and using R-GMA. -- Grid Security Vulnerability Group Response The Grid Security Vulnerability Group reminds sites of this, and be aware that a new version of R-GMA is available where authorization is included. -- Component and Installation information. A new version of R-GMA is available from http://hepunx.rl.ac.uk/egee/jra1-uk/r-gma-6.0/installation.html R-GMA is not currently distributed as part of gLite 3.2, and the earlier version distributed with gLite 3.1 is not being upgraded to the latest version supplied by the R-GMA developers -- Other information The version of R-GMA which includes Authorization is new, and follows a major re-write. -- Credit This vulnerability was initially reported by Stephen Burke. -- Disclosure Timeline Yyyy-mm-dd 2005-09-30 Vulnerability reported by Stephen Burke 2005-12-09 Issue handled by the Pre EGEE-II process including informing site security contacts 2008-01-14 R-GMA testing version of R-GMA which includes authorization 2010-03-09 Public disclosure as new version of R-GMA is available with this problem fixed -- References If applicable ==========================================================================