Grid Security Vulnerability Group - Advisory

-- Topic:          Version of OpenSSL distributed by the Globus Alliance
-- Date:           2007-10-16, updated 2010-08-17
-- ID:	           Grid Vulnerability Savannah bug #30202

-- Background

The customized versions of OpenSSL distributed by the Globus Alliance
contain code to support Globus-like proxy certificates of various types.

-- Vulnerability Details

Some versions of OpenSSL distributed by the Globus Alliance contain certain
vulnerabilities (see references below) that have been publicly disclosed and
patched by many vendors.

-- Affected software and components

gLite 3.1 contains a version of OpenSSL provided by Globus (through
vdt-globus-essentials) that is sufficiently old to have these issues.

gLite 3.2 uses the OpenSSL libraries delivered as part of the standard
system utilities, i.e. a customized version is no longer used.


-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk
and recommends that all sites upgrade the relevant components as improved
versions are made available through supported releases.

-- Further information

This matter was not disclosed earlier because at the time when this issue
was reported GSVG did not disclose advisories concerning 3rd party software.

When that policy was revised during EGEE-III, this low-priority issue was
overlooked.


-- Disclosure Timeline
Yyyy-mm-dd

2007-10-08 GSVG alerted to these openssl vulnerabilities by Romain Wartel
2007-10-16 Initial response from the Grid Security Vulnerability Group
2010-08-17 Public disclosure

-- References

A description of these vulnerabilities can be found at:--

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

==========================================================================