Globus contains a potential denial of service attack that can be caused by sending invalid data to a GRAM 2 (pre-web services) job manager.
This is a denial of service attack that only affects the GRAM 2 (pre-web services) job manager. That is, it is a server-side attack, and clients are not vulnerable. It only affects you if you are using GRAM 2, and not any other Globus services.
You can read Globus's description of the problem. For your convenience, we replicate the announcement here:
Globus Security Advisory 2007-03: Nexus vulnerability Original issue date: May 17, 2007 Last revised: None Software affected: Globus Toolkit releases 4.1.1 and earlier Specific packages: globus_nexus-6.6 and earlier Overview: A vulnerability in the globus-job-manager was discovered. As far as we know, root privileges can not be obtained, but the system (typically the head node of a cluster) running the globus-job-manager can be caused to crash resulting in a denial of service (DoS). If many globus-job-managers are attacked at once on the same system, all available physical and swap memory can be consumed, causing the kernel OOM to start killing off everything including init, and eventually causing a kernel panic which halts the system. I. Description When a GRAM2 job is submitted, the job manager will open and listen on 3 ephemeral ports during the life of the job. Two of these ports are used by MPICH-G2 applications. It has been demonstrated that these ports are vulnerable to an attack which can cause excessive memory consumption and denial of service of the host system. II. Impact A remote attacker may cause a denial of service. III. Solution Nexus has been modified to use GSI with with self authorization on Nexus TCP sockets by default. This will secure access to the ports opened by the job manager to only the user that submitted the job. Details about this bug can be read here: http://bugzilla.globus.org/globus/show_bug.cgi?id=5297 While testing this solution, a deadlock bug was found and fixed in GSSAPI when built with threads. Additional details about this bug can be read here: http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279 In addition, we've provided a job manager configuration option to optionally disable the Nexus ports. Administrators can add -duct disable to the job manager configuration file to disable the vulnerable TCP ports. Options: There are 3 new GT packages available for download at http:// www.globus.org/toolkit/advisories.html - globus_nexus-6.7.tar.gz This package contains the modification to Nexus to use GSI with self authorization on TCP sockets by default. http://bugzilla.globus.org/globus/show_bug.cgi?id=5297 - globus_gssapi-4.11.tar.gz This package fixes a deadlock in GSI activation when built with threads. http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5279 - globus_gram_job_manager-6.11.tar.gz [Optional] This package contains updates to disable the communication channel used for MPICH-G2 jobs (a.k.a. Nexus ports). If you don't take this package but you do take the other portion of the security update, these communication channels will be secure: this package is not strictly needed. If you are unsure whether or not your users use MPICH-G2, you can safely ignore this package. If you are sure they do not, you can use this update to disable these ports for an extra ounce of preventative care. These packages will need to be recompiled (order doesn't matter since there's no interface differences). MPICH installations do not need to be recompiled; however, any statically linked MPICH-G applications will need to be recompiled before they can be submitted to GRAM2 services. GRAM2 clients (e.g. globusrun) do not need to be recompiled. SHA1 checksums: 2ce524fa91e46c6b1a0b171d07156cda3983b5ec globus_nexus-6.7.tar.gz ab2c53ba3972ed130549755bd87e79feb8080091 globus_gssapi_gsi-4.11.tar.gz f914a848bf47e9306866ab99e4ac99d82d2deddc globus_gram_job_manager-6.11.tar.gz MD5 checksums: b4cc4aaf3f3d90099836b903714d3924 globus_nexus-6.7.tar.gz b694de73bb3dba699e16fba096e560e6 globus_gssapi_gsi-4.11.tar.gz bc11f0ddb973b047d63829139b28df45 globus_gram_job_manager-6.11.tar.gz
Please notice the comment on MPICH-G applications: they will need to be recompiled to work with the updated Globus software.
The VDT chose to only take the two required updates (globus_nexus-6.7 and globus_gssapi-4.11), and not the optional update (globus_gram_job_manager-6.11). You can get the updates for VDT 1.6.1 by running the following commands: (Don't type the comments that are in italics.)
Precursor steps > cd $VDT_LOCATION > . setup.sh (or source setup.csh) Turn off running services > vdt-control --off globus-gatekeeper > vdt-control --off gsiftp Install the update > pacman -update Globus-Base-Essentials > pacman -update Globus-Base-RM-Essentials Turn services back on > vdt-control --on globus-gatekeeper > vdt-control --on gsiftpIf you have installed the Globus-Base-SDK package, which allows you to compile programs that link against Globus, you can update it as well. This is not needed to secure your Globus GRAM installation, it is only needed for developers building applications:
> cd $VDT_LOCATION > . setup.sh (or source setup.csh) > pacman -update Globus-Base-SDK