Grid Security Vulnerability Group - Advisory


-- Topic:          There is a root exploit in the CREAM CE
-- Date:           2009-10-06
-- ID:	           Grid Vulnerability Savannah bug #55552 (JRA1 issue 55616)


-- Background

The CREAM (Computing Resource Execution And Management) service is a
gLite service for job management at the Computing Element (CE) level.


-- Vulnerability Details

There is a vulnerability in the CREAM CE that allows root privileges to
be obtained by remote users that are authorized to interact with the
CREAM instance, e.g. for submitting jobs.
The exploit is very unlikely to have been used.


-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'High' risk
and recommends that all sites upgrade their CREAM CEs _urgently_ to version
3.1.20 or higher.


-- Component and Installation information.


Information on affected software, components and installation instructions
are available with the release notes at:

http://glite.org/glite/packages/R3.1/updates.asp


-- Release

glite-CREAM 3.1.20, glite 3.1 update 56


-- Precautionary measures or checks

N/A

-- Other information


-- Credit

This vulnerability was initially reported by Gergely Debreczeni

-- Disclosure Timeline

2009-09-11 Vulnerability reported by Gergely Debreczeni
2009-09-14 Initial response from the Grid Security Vulnerability Group
2009-10-06 Updated gLite packages available
2009-10-06 Public disclosure

-- References

N/A

==========================================================================