=============================================================================
                          Grid Software Vulnerability Group Security Advisory

-- Topic:	MySQL backdoor in R-GMA
-- Date:	2007-03-07, revised 2007-11-16, revised 2010-03-08
-- ID:		Grid Vulnerability Savannah bug #8974

-- Background

R-GMA stands for the Relational Grid Monitoring Architecture and
it provides the framework for the the operations of the distributed
monitoring database.

MySQL is the popular SQL server that can be used with the EGEE software, 
in particular it is used as the backend to R-GMA.


-- Vulnerability Details

On some R-GMA installations the MySQL database is accessed with a
fixed username/password pair; the database access for that
user is usually restricted to the localhost only. 
If a user has access to the database then it would be possible to disrupt R-GMA.

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group views this issue as Low Risk.

The Grid Security Vulnerability Group recommends that sites which install R-GMA take account 
of the precautionary measures and checks, and be aware that a new version of R-GMA is 
available where this problem is fixed. 


-- Component and Installation information.

A new version of R-GMA is available from

http://hepunx.rl.ac.uk/egee/jra1-uk/r-gma-6.0/installation.html

R-GMA is not currently distributed as part of gLite 3.2, and the earlier version distributed with gLite 3.1 is not being upgraded to the latest version supplied by the R-GMA developers


-- Precautionary measures or checks

Ensure that R-GMA is not installed on any machine which users can log onto or can run jobs on.
I.e. Do not install on the same machine as the UI or worker node.

-- Other information

Most sites have known for a very long time not to put the Mon box on systems that can be 
accessed by users.

This was fixed within R-GMA by the R-GMA team a long time ago, it is only the configuration scripts
that need modification.

2007-11-16.  The currently deployed version of R-GMA allows the site administrator to set a username and password. This is in the configuration file which is used to allow R-GMA to contact MySQL. 

-- Credit
This vulnerability was reported by Linda Cornwall (RAL).

-- Disclosure Timeline
2005-06-09	Vulnerability reported to GSVG by Linda Cornwall (CCLRC)
		and was handled by GSVG using the EGEE-I strategy.
2005-11-17	Site Admins and LCG Security Contacts notified
2006-10-02      Re-assessed as 'Low' risk in current deployment using EGEE-II criteria
2007-07-31      Public disclosure of advisory as public disclose has been agreed, Target Date has passed, and still fully resolved.
2010-03-08      Advisory revised, a new version of R-GMA is available with this problem fixed.


==============================================================================