Skip to Content.
Sympa Menu

perfsonar-user - RE: [perfsonar-user] SSRF vulnerabilities on PerfSONAR instances

Subject: perfSONAR User Q&A and Other Discussion

List archive

RE: [perfsonar-user] SSRF vulnerabilities on PerfSONAR instances


Chronological Thread 
    < Chronological >      < Thread >
  • From: Darryl K Wohlt <>
  • To: Andrew Lake <>, "" <>
  • Cc: Andrey Bobyshev <>, John L Galvan <>
  • Subject: RE: [perfsonar-user] SSRF vulnerabilities on PerfSONAR instances
  • Date: Thu, 15 Apr 2021 17:03:38 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fnal.gov; dmarc=pass action=none header.from=fnal.gov; dkim=pass header.d=fnal.gov; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IftAcyE8cgNWFtC8aXrsKjTUtH0b+bLVS7lAFzbb2to=; b=NwbBGFlvMcDt+sgc9jh6dKAB9//2KvCCr7UmqIRP/af1oyGIrWDuuVQxqiiiXDO2XNMsSm61nmyLYwCbDNaObwwAP0gthLPxGeVpPfGxM98RQ5o5RLvK7/O0ccmDq8St3Ev2rigjGzjxkZd6kFMs5oQc/Ua55Rr0V0wGqNYRos3CB6wzfup575D8yWnMLs9Fhdr1SmvMVZGWAx3RB92BX9Cg5b6gNRe34gCsnoJBWWv33kEm/limvKGRO05njpKuafVcy1qfiqKtSxWnRCQHuZuxq1UG2uRimxLB7u4AoTsY3mcP9Bk6xH3HQzueyELUGGS11TWhrGmhVoy8eMhSEg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iwhSgumj29nS97xWsaTAGpSjK/gKyan5+HA8jVlL8yF32YzKFEaBbb5mWtJ4aB1aeuJNLRPMPR2GGLrabYTKBwI3VNQu3PMiIubKPS0j/T8c339BIDgrq3Vg2phVyBH45eVDi+uWNFEbgesHUWzxgJ5464F46ipNJYYKAB4qbYWeAsWBdZi5ZAtCmdnTb7JZXRflyPF0fEp91U8VUNpXorsfpLnC51eAdmjDrQ9i4VpuNmFux6ci82r1maLpb3BqOPTJ5U8OJaldUfI7gVo/aeMO8lPG2pwFhFcsC8o5Nxs+kx8XNsu0iyQ1luZ3XzuGJVWCIE6dxar4qlN8Qg4+KA==

Hi Andy,

 

Yes, the three machines were updated to 4.3.4 on March 19.  I think the scans were done on April 9 and April 13.  We’ll talk with our security group to get more detail about their analysis.

 

Thanks,

Darryl

 

From: Andrew Lake <>
Sent: Thursday, April 15, 2021 11:33 AM
To: ; Darryl K Wohlt <>
Subject: Re: [perfsonar-user] SSRF vulnerabilities on PerfSONAR instances

 

Hi Darryl,

 

Are your hosts in question updated to 4.3.4 that came out a few weeks ago? We fixed some SSRF related issues in the traceroute viewer as part of that release: https://www.perfsonar.net/releasenotes-2021-03-18-4-3-4.html

 

Thanks,

Andy

 

 

On April 15, 2021 at 12:27:32 PM, Darryl K Wohlt () wrote:

Hello,

 

Our cybersecurity team has detected a Server Side Request Forgery (SSRF) vulnerability on some of our PerfSONAR instances, and I wonder if anyone has experience with this and would like to share some mitigation tips.  Here is the text of the notification that I received:

<remainder snipped for brevity>


Archive powered by MHonArc 2.6.24.

Top of Page