                           Grid Security Vulnerability Group - Advisory

-- Topic:          R-GMA SQL injection vulnerabilities
-- Date:           2008-01-24, revised 2008-07-14, revised 2010-03-08
-- ID:	           Grid Vulnerability Savannah bug #32907

-- Background

R-GMA stands for the Relational Grid Monitoring Architecture and
it provides the framework for the the operations of the distributed
monitoring database.

-- Vulnerability Details

SQL injection vulnerabilites have been found in the R-GMA server as part of a code
review by the PSNC security team at Poznan. 

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Moderate' risk, and
recommends that all sites using R-GMA consider using the more recent version which has
become available. 


-- Component and Installation information.

A new version of R-GMA is available from

http://hepunx.rl.ac.uk/egee/jra1-uk/r-gma-6.0/installation.html

R-GMA is not currently distributed as part of gLite 3.2, and the earlier version distributed 
with gLite 3.1 is not being upgraded to the latest version supplied by the R-GMA developers


-- Precautionary measures or checks

Sites and users should be aware that this vulnerability exists for the current version 
R-GMA, and decide whether they wish to upgrade. 


-- Other information

All SQL statements being passed into the server are now parsed to ensure that they are of the correct type (i.e. a SELECT is just one select statement - following the restricted SQL92 supported by R-GMA). A specific check is made that there is no leading or trailing input. In addition, in all cases where a table, index or view name is passed into the server this is checked for a complete match with a regular expression that the string is a valid R-GMA identifier. Support for identifiers enclosed in double quotes (which can normally be used to make a table or column name the same as a SQL keyword has been removed from the R-GMA parser. 


-- Credit
This vulnerability was described in a report from the Security Team at PNSC in Poland.


-- Disclosure Timeline
Yyyy-mm-dd

2007-11-24 Report on R-GMA testing the PSNC security team at Poznan forwarded to the R-GMA team
2008-01-22 Issue entered into GSVG database, it should be assessed by GSVG and an advisory 
           should be issued.
2008-01-24 Initial response from the Grid Security Vulnerability Group
2008-07-14 Advisory updated to reflect current situation
2010-03-09 Public disclosure as new version of R-GMA is available with this problem fixed


-- References


==========================================================================