Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

GRIS Vulnerability

Summary

Certain GRIS information providers can allow arbitrary code execution as the use running the GRIS daemon.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2004-07-26

Description

It has come to our attention that some GRIS information providers execute code fetched from a remote server. If that remote server was compromised the attacker could trick remote GRIS servers into executing arbitrary code.

Neither the VDT nor Globus come with any of these information providers but versions of the VDT below 1.2.0 configured the GRIS server to run as root. This, combined with specific information providers, presents a large risk.

If you install a vanilla VDT (ie, not through Grid3) you aren't at risk unless you specifically installed additional information providers.

Solution

All users are encouraged to upgrade to VDT 1.2.0 or later so that the GRIS server does not run as root.

If you are running Grid3V2.1 the Grid3 team suggests that you disable the GRIS daemon. The VDT provides a tool to do this for you:

vail(root): vdt/setup/configure_globus.sh --gris=n

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.