Hi Steve,
Yes, we do have an agreed procedure for how vulnerabilities should be
dealt with and we all should stick to it. However in Kostas' defence he
was replying to mail from Laurence saying that this bug was basically
harmless and could result in nothing worse than bad information being
published from your site. Kostas showed that it could instead be used to
view information that should not be viewed from outside your site
(internal websites etc), to port scan inside your filewall, and bring down
your tomcat server through downloading large files. And this was with
(almost literally) 5 minutes poking around to see what. So I think it is
harsh to condem Kostas for pointing out the inaccuracy of Laurence's
statement.
Running RGMA in an insecure mode is a critical test for LCG membership,
despite the vulnerabilities group having sent an email to security
contacts saying that they recommend running it in secure mode. This
doesn't sound very sensible to me and to some extent shows how seriously
the vulnerabilities group are taken by deployment. I don't see how we can
try to force site to run in a mode that contrary to that recommended by
the vulnerabilities group.
We really do need to control security vulnerabilities in LCG and part of
that must be taking the vulnerabilities group seriously ... both by
middleware developers and the deployment teams.
As for this particular problem I think that:
1. the RGMA test should be made non critical so that sites who wish to
run with such a security hole are welcome to do so but sites that don't
are not forced to. I may be wrong but I believe that this would only
really damage the accounting at the moment and that would catch when a
patched version is available later... am I correct in this understanding?
2. if the RGMA developers were to produce a secure version which was free
from such issues and the deployment group were pushing it for rapid
deployment, it would make a lot of people happier that security
vulnerabilities were being taken seriously by LCG. It is only when the
community feel that vulnerabilities are being taken seriously that people
like Kostas will (consistently) follow the procedure.
All the best,
david
|