                           Grid Security Vulnerability Group - Advisory

-- Topic:          R-GMA logging level can be set remotely - possible DoS
-- Date:           2008-04-02, updated 2010-03-08
-- ID:	           Grid Vulnerability Savannah bug #9266

-- Background

R-GMA stands for the Relational Grid Monitoring Architecture and
it provides the framework for the the operations of the distributed
monitoring database.

-- Vulnerability Details

It is possible for an authenticated user to set the logging level remotely. 
This was found to be useful for the earlier tuning of the deployment of R-GMA. 
However, it is possible that if a high level of logging is selected the disk may fill up
thus causing a Denial of Service on that site.

This was mitigated somewhat since the original submission by only allowing authenticated 
users to connect to R-GMA, and the logging of connections. 

-- Grid Security Vulnerability Group Response

The Grid Security Vulnerability Group reminds sites of this, and be aware that a new 
version of R-GMA is available where this problem is fixed. 


-- Component and Installation information.

A new version of R-GMA is available from

http://hepunx.rl.ac.uk/egee/jra1-uk/r-gma-6.0/installation.html

R-GMA is not currently distributed as part of gLite 3.2, and the earlier version distributed 
with gLite 3.1 is not being upgraded to the latest version supplied by the R-GMA developers.



-- Precautionary measures or checks

In the unlikely event that it is found that a disk on a Mon box is filling up or full, 
check the logging level.

-- Other information

The next version of R-GMA, which is currently being tested, will not include this facility.
Only site administrators will be able to set the logging level at any given site.

-- Credit

This vulnerability was initially reported by David O'Callaghan


-- Disclosure Timeline
Yyyy-mm-dd

2005-06-29 Vulnerability reported by David O'Callaghan
2005-11-21  Issue handled by the Pre EGEE-II process including informing site 
            security contacts
2006-04-04 Mitigated by only allowing authenticated access to R-GMA and logging connections.
2008-01-14 R-GMA testing version of R-GMA which excludes this facitlity

2010-03-09 Public disclosure as new version of R-GMA is available with this problem fixed.

-- References
 If applicable
==========================================================================