Grid Security Vulnerability Group - Advisory



-- Topic:          Password problem with the Cream CE
-- Date:           2009-10-06
-- ID:	           Grid Vulnerability Savannah bug #55551 (JRA1 issue 55615)


-- Background

The CREAM (Computing Resource Execution And Management) service is a
gLite service for job management at the Computing Element (CE) level.


-- Vulnerability Details

There is a vulnerability in the configuration of the CREAM CE that
allows a database password to be obtained by users that are authorized
to interact with the CREAM instance, e.g. for submitting jobs.


-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'High' risk
and recommends that all sites upgrade their CREAM CEs _urgently_ to version
3.1.20 or higher.

-- Component and Installation information.


Information on affected software, components and installation instructions
are available with the release notes at:

http://glite.org/glite/packages/R3.1/updates.asp


-- Release

glite-CREAM 3.1.20, gLite 3.1 update 56


-- Precautionary measures or checks

N/A


-- Other information



-- Credit

This vulnerability was initially reported by Gergely Debreczeni


-- Disclosure Timeline


2009-09-11 Vulnerability reported by Gergely Debreczeni
2009-09-14 Initial response from the Grid Security Vulnerability Group
2009-10-06 Updated gLite packages available
2009-10-06 Public disclosure


-- References

N/A


==========================================================================