		   Grid Security Vulnerability Group - Advisory

-- Topic:          There is a Vulnerability which allows a user to crash the LFC/DPM server
-- Date:           2009-10-19, updated 2010-03-25
-- ID:	           Grid Vulnerability Savannah bug #50397

-- Background

LFC is the LCG (LHC Computing Grid) File Catalogue used by many Virtual
Organisations to catalogue their files stored on the grid.
The Disk Pool Manager (DPM) has been developed as a lightweight solution
for grid-enabled disk storage management.  These Data Management services
share a common library that is specific to LFC and DPM.

-- Vulnerability Details

It is possible for an authorized user to send commands to an LFC or DPM
instance which consistently crash the server.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk
and recommends that sites upgrade the relevant components when they become
available in the production release.


-- Affected software and components

LFC and DPM (version 1.7.2 and earlier) in gLite 3.1 and gLite 3.2



-- Component and Installation information for gLite 3.1

Installation instructions for gLite 3.1 are available at: 

http://glite.org/glite/packages/R3.1/updates.asp 
http://glite.web.cern.ch/glite/packages/R3.1/x86_64/updates.asp


-- gLite 3.1 release number

Update 62 


-- Component and Installation information for gLite 3.2

Installation instructions for gLite 3.2 are available at: 

http://glite.org/glite/packages/R3.2/updates.asp 
http://glite.web.cern.ch/glite/packages/R3.2/x86_64/updates.asp

-- gLite 3.2 release number 

Update 09 


-- Precautionary measures or checks

N/A

-- Other information

Patches have been produced and have been certified so should be released in due course

-- Credit
This vulnerability was initially reported by Piter T. de Boer


-- Disclosure Timeline
Yyyy-mm-dd

2009-05-14 Vulnerability reported by Piter T. de Boer
2009-05-20 Initial assessment by the Grid Security Vulnerability Group
2009-12-04 Public disclosure as reached target date.
2010-03-25 Updated this advisory as patches released which fully resolve this issue. 

-- References
 If applicable
==========================================================================