Grid Security Vulnerability Group - Advisory

-- Topic:          gLite-ce-blahp command injection vulnerability
-- Date:           2009-10-13
-- ID:	           Grid Vulnerability Savannah bug #55825 - (JRA1 Savannah bug #56271)

-- Background

BLAHP is the Batch Local Ascii Helper Protocol implemented by the
/opt/glite/bin/blahpd daemon and used by the CREAM Computing Element
(CE) to manage jobs on different Local Resource Management Systems.
The daemon is provided by the glite-ce-blahp rpm.

-- Vulnerability Details

A command injection vulnerability has been found affecting the blahpd
daemon.  A user that is authorized to access the CREAM CE (e.g. for
submitting jobs) has the possibility to let the blahpd daemon execute
any command that is accessible to the local account to which the user
is mapped.  The command would be executed by that local account.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Moderate'
risk and recommends that all sites using the CREAM CE upgrade the relevant
components.

-- Affected software and components

glite-ce-blahp 1.12.4-0.slc4 and earlier

-- Component and Installation information for gLite 3.1

Installation instructions for gLite 3.1 are available at:

http://glite.org/glite/packages/R3.1/updates.asp

-- gLite 3.1 release number

gLite 3.1 update 60

-- Precautionary measures or checks

N/A

-- Other information



-- Credit
This vulnerability was initially reported by Dennis van Dok

-- Disclosure Timeline
Yyyy-mm-dd

2009-09-18 Vulnerability reported by Dennis van Dok
2009-09-29 Initial assessment by the Grid Security Vulnerability Group
2010-01-11 Updated gLite packages available
2010-01-11 Public disclosure

-- References
 If applicable
==========================================================================