perfSONAR Announcements

[Andrew Lake <>]

All,

We wanted to make everyone aware of a few important security updates to perfSONAR packages that were published this morning. A special thanks to Luke Young for taking the time to find, document and provide a few patches for the items detailed below.  The updates address the following issues:

1. It was possible to generate a carefully crafted SOAP message that goes to the OPPD service that would allow an unauthenticated user to read arbitrary files from the filesystem as the 'perfsonar' user. This was done by exploiting a feature of LibXML that processes external entities. The ability to do so has since been disabled.

2. The second issue allowed someone logged-in to the host via SSH as an unprivileged user to escalate to root privileges using a combination of the Toolkit’s ConfigManager and BWCTL’s posthook feature. ConfigManager did not actually need access to the BWCTL config file anymore, so access to this file (and thus the posthook feature) has been removed. 

If you are running auto-updates, you should be getting the updates automatically. You can run “yum update libperfsonar* perfsonar-toolkit* perfsonar-oppd*” to get the changes manually on RedHat and "apt-get update && apt-get upgrade libperfsonar* perfsonar-toolkit* perfsonar-oppd*” on Debian. Please let us know if you have any questions.

Thank you,

The perfSONAR Development Team