===========================================================================
                           Grid Software Vulnerability Group Security Advisory

-- Topic:          DN information leak on the RB/WMS
-- Date:           2006-11-15, revised  2007-08-06, revised 2010-01-19
-- ID:	       Grid Vulnerability Savannah ID 18049

-- Background

The Resource Broker(RB)/ Workload Management system (WMS) is used to handle users jobs in the Grid environment.


-- Vulnerability Details

It may be possible to obtain the DNs of users submitting jobs on RBs/WMS. 
Such information should not be available.  
Condor is using SSL based network services on the affected LCG RB and gLite WMS hosts, which 
are listening on the external network interface during some part of the job lifetime. 
It appears that these SSL network services are using the proxy certificate of the users, 
which could enable an attacker to harvest users DN by performing port scans against the 
appropriate port range.


-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this to be  'Low' risk as DN information
is not regarded as particularly sensitive.  As it should not be possible to harvest DNs in this
way and this should be addressed.


-- Component and Installation information.

N/A


-- Precautionary measures or checks


-- Other information

This software is obsolete.  Its functionality currently is 
provided by the gLite WMS that is part of gLite 3.1 and later. 

-- Credit
This vulnerability was initially reported by Romain Wartel 


-- Disclosure Timeline
Yyyy-mm-dd

2006-06-07 Vulnerability reported by Romain Wartel.
2006-11-15 Initial response from the Grid Security Vulnerability Group
2007-08-06 Public disclosure 
2010-01-19 Advisory updated as software is obsolete 





==========================================================================