Grid Security Vulnerability Group - Advisory

-- Topic:          Argus may allow a banned user under heavy load 
-- Date:           2010-02-10
-- ID:	           Grid Vulnerability Savannah bug #56768

-- Background

The Argus is the Authorization System developed to provide consistent authorization decisions for
 distributed services in the Grid Environemnt.  (See reference below)

-- Vulnerability Details

Under exceptional circumstances, when the load on ARGUS is high, a banned user may be able to 
obtain access.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group considers this issue to be 'Low' risk, and
recommends that all sites upgrade the relevant components. 


-- Affected software and components

gLite-ARGUS 3.2.0



-- Component and Installation information for gLite 3.2

Installation instructions for gLite 3.2 are available at: 

http://glite.org/glite/packages/R3.2/updates.asp 


-- gLite 3.2 release number 

glite 3.2 update 08


-- Precautionary measures or checks

N/A.

-- Other information

This was fixed as part of the process of fixing a more general bug, so the release notes were not
linked to this more specific low risk vulnerability. 

-- Credit

This vulnerability was initially reported by Gianni Pucciani


-- Disclosure Timeline
Yyyy-mm-dd

2009-10-08 Vulnerability reported by Gianni Pucciani
2009-10-10 Initial assessment by the Grid Security Vulnerability Group
2010-02-08 Updated gLite packages available which fix this problem
2010-02-10 Advisory drafted 
2010-02-16 Advisory disclosed.

-- References

https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework

==========================================================================