GRIS Vulnerability
Summary
Certain GRIS information providers can allow arbitrary code execution as the use running the GRIS daemon.
Relevant Versions
This advisory affects the following VDT versions:
Date Announced
2004-07-26
Description
It has come to our attention that some GRIS information providers execute code fetched from a remote server. If that remote server was compromised the attacker could trick remote GRIS servers into executing arbitrary code.
Neither the VDT nor Globus come with any of these information providers but versions of the VDT below 1.2.0 configured the GRIS server to run as root. This, combined with specific information providers, presents a large risk.
If you install a vanilla VDT (ie, not through Grid3) you aren't at risk unless you specifically installed additional information providers.
Solution
All users are encouraged to upgrade to VDT 1.2.0 or later so that the GRIS server does not run as root.
If you are running Grid3V2.1 the Grid3 team suggests that you disable the GRIS daemon. The VDT provides a tool to do this for you:
vail(root): vdt/setup/configure_globus.sh --gris=n
Questions
Please contact
vdt-support@opensciencegrid.org if you have any questions.
