perfsonar-user - Re: [perfsonar-user] Software vulnerabilities
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Andrew Lake <>
- To: Darryl K Wohlt <>, "" <>, Darryl K Wohlt <>
- Subject: Re: [perfsonar-user] Software vulnerabilities
- Date: Tue, 28 Feb 2023 10:27:10 -0500
On February 28, 2023 at 10:06:14 AM, Darryl K Wohlt () wrote:
--Hello,
Our PerfSONAR instances have been ticketed by our cybersecurity group for a number of vulnerabilities, and I'll need a little help to remediate.
To summarize these using psonar5.deemz.net (4.4.6-1.el7, 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022 x86_64):
A. Cross Site Scripting (3 instances)
Proof URLs:
Vulnerability Details:
Invicti Enterprise detected Cross-site Scripting, which allows an attacker to execute a dynamic script (_javascript_, _vbscript_) in the context of the application.
This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/_javascript_/_vbscript_ by the browser. Cross-site scripting targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' sessions, an attacker might attack an administrator to gain full control over the application.
Impact
There are many different attacks that can be leveraged through the use of cross-site scripting, including:
* Hijacking user's active session.
* Mounting phishing attacks.
* Intercepting data and performing man-in-the-middle attacks.
Remedy
The issue occurs because the browser interprets the input as active HTML, _javascript_ or _vbscript_. To avoid this, output should be encoded according to the output location and context. For example, if the output goes in to a _javascript_ block within the HTML document, then output needs to be encoded accordingly.
B. Out-of-date Version (jQuery UI Autocomplete)
On https://psonar5.deemz.net/toolkit/js/jquery-ui/
Vulnerability Details
Invicti Enterprise identified the target web site is using jQuery UI Autocomplete and detected that it is out of date.
Identified Version 1.11.4
Overall latest version 1.13.0
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
Remedy
Please upgrade your installation of jQuery UI Autocomplete to the latest stable version.
C, Out-of-date Version (jQuery)
On https://psonar5.deemz.net/esmond/perfsonar/
Vulnerability Details
Invicti Enterprise identified the target web site is using jQuery and detected that it is out of date.
Identified Version 3.3.1
Overall latest version 3.6.0
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
Remedy
Please upgrade your installation of JQuery to the latest stable version.
D. Out-of-date Version (Bootstrap)
Vulnerability Details
Invicti Enterprise identified the target web site is using Bootstrap and detected that it is out of date.
Identified Version 3.4.0
Latest Version 3.4.1 (in this branch)
Overall latest version 5.1.3
Impact
Since this is an old version of the software, it may be vulnerable to attacks.
Remedy
Please upgrade your installation of Bootstrap to the latest stable version.
Thanks for any guidance,
Darryl
Darryl K. Wohlt
Senior Network Analyst
CCD/NCS/Network Services
Fermi National Accelerator Laboratory
P.O. Box 500, MS 368
Batavia, Illinois 60510
USA
630 840 2901 office
630 945 5687 mobile
To unsubscribe from this list: https://lists.internet2.edu/sympa/signoff/perfsonar-user
- [perfsonar-user] Software vulnerabilities, Darryl K Wohlt, 02/28/2023
- Re: [perfsonar-user] Software vulnerabilities, Andrew Lake, 02/28/2023
Archive powered by MHonArc 2.6.24.