=============================================================================
                          Grid Software Vulnerability Group Security Advisory

-- Topic:	dCache: vulnerability in the SRM doors
-- Date:	2009-07-28, updated 2010-03-08, updated 2010-07-21
-- ID:		Grid Vulnerability Savannah bug #53668


-- Background

dCache is one of the Mass Storage systems commonly used in EGEE production 
environments.


dCache project provides a system for storing and retrieving huge amounts
of data, distributed among a large number of heterogenous server nodes,
under a single virtual filesystem tree with a variety of standard access
methods [1].

Storage Resource Managers (SRMs), named after their web services
protocol, provide the technology needed to manage the rapidly growing
distributed data volumes, as a result of faster and larger computational
facilities [2].


-- Vulnerability Details

Certain authenticated and authorized SRM requests can lead to the
corruption of the SRM metadata.  The corrupted metadata can be easily
restored, no corruption of the filesystem data or metadata can be
triggered by this flaw.

The corruption itself can lead to the Denial of Service for the SRM
service and SpaceManager/PinManager functionalities of the attacked
cluster.


-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers assessed this issue
to be 'Low' risk and recommends that all sites upgrade the relevant
components when patches are available. 


-- Component and Installation information

Affected components are SRM doors of dCache clusters.

Administrators who are running dCache installations with software
obtained directly from dCache.org should refer to the dCache 1.9
releases page [3] to understand what release they should install
to fix this vulnerability.  Here are the versions where this flaw
was fixed for all currently existing releases from the 1.9 branch:

 - dCache 1.9.1: fixed in 1.9.1-10;
 - dCache 1.9.2: fixed in 1.9.2-9;
 - dCache 1.9.3: fixed in 1.9.3-3;
 - dCache 1.9.4: fixed in 1.9.4-2.


Site administrators who are running dCache provided by the EGEE
distribution should note that there is curently no patched version 
available from gLite. However, gLite compatible updates can be downloaded 
from www.dcache.org, assuming the release notes are read and understood.


Updated 2010-07-21

An updated version with this problem fixed is now part of gLite 3.2 patch 15 and is available from:

http://glite.web.cern.ch/glite/packages/R3.2/sl5_x86_64/updates.asp 

-- Other information. 

Integration of the patched version of dCache into gLite is in work.

-- Credit

This vulnerability was reported by Patrick Fuhrmann from dCache team.


-- Disclosure Timeline

2009-07-27      Vulnerability reported to GSVG by Patrick Fuhrmann.
2009-07-28	The issue was assessed by the GSVG as the 'Low Risk'.
2009-07-28	GSVG produced the first version of the advisory.
2009-07-29	GSVG produced the second version of the advisory.
2010-03-08      Public disclosure as past the target date.
2010-07-21      Version available in gLite with this problem resolved (gLite 3.2, patch 15)
2010-07-21      Revised advisory produced.



-- References
[1] http://www.dcache.org/
[2] https://sdm.lbl.gov/srm-wg/doc/SRM.v2.2.html
[3] http://www.dcache.org/downloads/1.9/
==============================================================================