Thursday, January 22, 2015

Oracle releases security updates for Java this week

Oracle has released new versions of Java to address multiple security issues. There does not appear to be any remote unauthenticated vulnerabilities in server installs, however there are serious vulnerabilities in client side installs.

As a precaution, everyone is recommended to install the latest Java patches. Scientific Linux and Red hat have both released updated Java packages. New packages for Mac and Windows systems are also available.

A listing of vulnerabilities addressed is available here.

Wednesday, December 17, 2014

News for OSG users with CILogon CA certificates

The OSG Security Team wants to inform that Protect Network, one of the
Identity Providers accepted by the CILogon CA, will no longer be
available after 12/31/2014. Most OSG users are getting certificate
directly via the OSG CA, however CILogon has been available as an option
for a number of years.

If you have been getting personal certificates via cilogon.org, and have
been using Protect Network to authenticate, you will no longer be able
to get new certificates after 12/31/2014.

We recommend using your home institution's Identity Provider if it is
available on the pulldown list on the cilogon.org website, get a new
certificate via the OSG CA, or else renew your current cert before the
end of the year and then seek other arrangements.

If you need help getting a certificate to replace a cilogon.org/Protect
Network certificate, please contact the security team by opening a GOC
ticket.

Some useful links:

* http://cilogon.org/osg

Kevin Hill
on behalf of the OSG Security Team

Wednesday, June 25, 2014

Warning about IPMI

The Intelligent Platform Management Interface (IPMI) is a remote management system included in many server systems. Several recent vulnerabilities in IPMI systems have been found to be remotely exploitable. It is highly recommended that any systems with IPMI be configured to not allowed access from the general internet, either by configuring a private network, or blocking access with a firewall. US-CERT recently published an alert on this as well:
http://www.us-cert.gov/ncas/alerts/TA13-207A

Tuesday, June 11, 2013

Introduction to the CILogon Basic CA

CILogon Basic CA is a service that allows students at Universities with existing single sign-on systems to use their campus credentials to get a certificate issued by the CILogon Basic CA instantly. This certificate is only issued if the campus single sign-on system verifies the users credentials.

If you manage an OSG VO and your University is already on the list of sites on the CILogon Basic CA web page, http://cilogon.org/osg, then you can have your VO members get CILogon Basic CA certificates now. Note that in addition to getting a certificate, it will also have to be registered with your VO's VOMS service. This provides an additional security check on all certificate registrations.

If you run an OSG site, the OSG Security Team is looking for sites willing to accept CILogon Basic CA certificates from users for access to your resources. In most cases this involves just installing the cilogon-ca-certs rpm.

The downside to the CILogon Basic CA for some people is that there is one provider, protect.net, which will let anyone with a valid email address request an account.

This is not a problem for grid services, since in addition to a valid certificate, a grid user will need a DN mapping entry in their VO's VOMS server or gridmap files before they can access any grid resources. If, however, other services such as web pages are restricted to any valid client certificate, then those permissions might want to be revisited with CILogon Basic CA certificates installed, as they will more than likely include more than just research related individuals.

Friday, March 8, 2013

Java security updates released this week

Oracle has released a new version of Java 6 and Java 7 in response to new vulnerabilities that allow malicious web sites to allow full access to systems when web browsers with Java enabled visit them.

This only affects client side use of Java, as in web start apps or the Java plugin in web browsers. It should not be exploitable by server side uses of Java. 

As a precaution, however everyone is recommended to install the latest Java patches. Scientific Linux and Red hat have both released updated Java 6 and 7 packages. New packages for Mac and Windows systems are also available. 

Tuesday, January 15, 2013

New Java Exploit in the Wild


Last week a vulnerability was discovered in Java 7 that allowed compromised web sites to take control of computers visiting the site with a web browser with the Java plugin enabled. This has been reported to be actively exploiting systems in the wild.

The vulnerability seems to be specific to Java 7, and specifically the web browser plugin, so grid services do not seem to be vulnerable.

Oracle has released a new version of Java as of Sunday that should fix this vulnerability. It is recommended that people disable the Java browser plugin if its not needed until the update is installed.

Here's an article that has a good list of FAQs about this vulnerability:
https://krebsonsecurity.com/2013/01/what-you-need-to-know-about-the-java-exploit/

Tuesday, July 31, 2012

Ganglia Vulnerability

There is a Ganglia vulnerability that potentially allows remote users to execute unauthorized scripts. This has been fixed in the EPEL Ganglia for EL6, and doesn't seem to affect the EPEL Ganglia for EL5.