Note: This web site is only kept up to date for OSG Software
1.2 (VDT 2.0.0). If you are looking for information for the most recent
release, the RPM-based OSG Software 3.0, please see
the OSG documentation web site
Certain GRIS information providers can allow arbitrary code execution as the use running the GRIS daemon.
This advisory affects the following VDT versions:
It has come to our attention that some GRIS information providers execute code fetched from a remote server. If that remote server was compromised the attacker could trick remote GRIS servers into executing arbitrary code.
Neither the VDT nor Globus come with any of these information providers but versions of the VDT below 1.2.0 configured the GRIS server to run as root. This, combined with specific information providers, presents a large risk.
If you install a vanilla VDT (ie, not through Grid3) you aren't at risk unless you specifically installed additional information providers.
All users are encouraged to upgrade to VDT 1.2.0 or later so that the GRIS server does not run as root.
If you are running Grid3V2.1 the Grid3 team suggests that you disable the GRIS daemon. The VDT provides a tool to do this for you:
vail(root): vdt/setup/configure_globus.sh --gris=n
Please contact firstname.lastname@example.org
if you have any questions.