perfSONAR User Q&A and Other Discussion

[Aaron Brown <>]

Hi Folks,

We’ve released an updated version of the Toolkit that removes the JOWPing 
component.

NetInstall Users: Perform a “yum update”, and then restart the machine 
afterwards. 

LiveCD Users: We won’t be releasing an updated LiveCD yet, and so recommend 
following the workaround listed below.

Cheers,
Aaron

On Jul 14, 2014, at 10:03 AM, Jason Zurawski 
<>
 wrote:

> Greetings;
> 
> JOWPING, a java client for the OWAMP measurement tool, has been found to be 
> vulnerable to a form of cross site scripting involving manipulation of HTTP 
> headers.  Our analysis has found that chance of exploit is remote (e.g. 
> cannot be done with simple URL manipulation or Javascript), but warrants 
> action by toolkit deployers.  We are suggesting that sites with concerns 
> remove JOWPING from their servers using the following command:
> 
>> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/ 
> 
> This will result in a broken link on the left sidebar, but removes the 
> software and the risk.  A future update to the 3.3.x series of the pS 
> Performance Toolkit will remove JOWPING completely, and this tool was 
> already earmarked to not be present on the upcoming 3.4 release due to lack 
> of a maintainer.  
> 
> The development team would like to thank John Parker from NOAA, who found 
> this vulnerability through routine use of the skipfish tool 
> (http://code.google.com/p/skipfish).  Feel free to relay any questions or 
> concerns you have to the developers.  
> 
> Thanks;
> 
> The perfSONAR Development Team