Stuart Martin
2015-06-09 15:30:26 UTC
Hi All,
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the "logjam" vulnerability described in CVE-2015-4000 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000>. We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/90923228 <https://support.globus.org/entries/90923228>
Our assessment is that there is a vulnerability for the Globus Toolkit GridFTP and MyProxy components. At present, these components do not prevent the use of export ciphers for secure communication. The exploit would require a multi-step compromise on a network connection that would allow a man-in-the-middle attack. This would be difficult to achieve but, since a compromise is possible, we encourage all GridFTP and MyProxy services to be updated as soon as possible.
For GSI-OpenSSH, we believe the impact is mitigated by the fact that the GSI parts are protected inside the SSH protocol. Details from the OpenSSH developers can be read here <http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033896.html>.
GRAM is not impacted because it does not use ciphers for secure communication.
Actions We Have Taken to Close Attack Vector
An enhancement (GT-596 <https://globus.atlassian.net/browse/GT-596>) has been implemented and made available for update for GT 6 and GT 5.2.5.
The enhancement allows for an admin to set a specific cipher set to be used for all Globus Toolkit components.
The default ciphers configured for Globus Toolkit components will be the OpenSSL defined âHIGHâ ciphers.
Documentation for the new configuration file is included in the GSIC admin guide <http://toolkit.globus.org/toolkit/docs/6.0/gsic/admin/#gsic-configuring-global-security-parameters>
Recommended Actions for Globus Users and Administrators
GridFTP Administrators
Upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages should be done ASAP.
MyProxy Administrators
Upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages should be done ASAP.
GSI-OpenSSH Administrators
No action is needed at this time.
However, we encourage upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a precaution.
GRAM Administrators
No action is needed at this time.
However, we encourage upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a precaution.
Globus Connect Server Administrators
Upgrading to the latest version ASAP using your operating systemâs package manager, e.g. yum update, apt-get update/upgrade, etc.
Globus Connect Personal users
Upgrading to the latest version should be done ASAP.
Update steps <https://support.globus.org/entries/94287798-Updating-to-the-latest-version-of-Globus-Connect-Personal>
Let us know if you have any questions.
- Globus Dev Team
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the "logjam" vulnerability described in CVE-2015-4000 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000>. We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/90923228 <https://support.globus.org/entries/90923228>
Our assessment is that there is a vulnerability for the Globus Toolkit GridFTP and MyProxy components. At present, these components do not prevent the use of export ciphers for secure communication. The exploit would require a multi-step compromise on a network connection that would allow a man-in-the-middle attack. This would be difficult to achieve but, since a compromise is possible, we encourage all GridFTP and MyProxy services to be updated as soon as possible.
For GSI-OpenSSH, we believe the impact is mitigated by the fact that the GSI parts are protected inside the SSH protocol. Details from the OpenSSH developers can be read here <http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033896.html>.
GRAM is not impacted because it does not use ciphers for secure communication.
Actions We Have Taken to Close Attack Vector
An enhancement (GT-596 <https://globus.atlassian.net/browse/GT-596>) has been implemented and made available for update for GT 6 and GT 5.2.5.
The enhancement allows for an admin to set a specific cipher set to be used for all Globus Toolkit components.
The default ciphers configured for Globus Toolkit components will be the OpenSSL defined âHIGHâ ciphers.
Documentation for the new configuration file is included in the GSIC admin guide <http://toolkit.globus.org/toolkit/docs/6.0/gsic/admin/#gsic-configuring-global-security-parameters>
Recommended Actions for Globus Users and Administrators
GridFTP Administrators
Upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages should be done ASAP.
MyProxy Administrators
Upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages should be done ASAP.
GSI-OpenSSH Administrators
No action is needed at this time.
However, we encourage upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a precaution.
GRAM Administrators
No action is needed at this time.
However, we encourage upgrading to the latest GT 6 <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a precaution.
Globus Connect Server Administrators
Upgrading to the latest version ASAP using your operating systemâs package manager, e.g. yum update, apt-get update/upgrade, etc.
Globus Connect Personal users
Upgrading to the latest version should be done ASAP.
Update steps <https://support.globus.org/entries/94287798-Updating-to-the-latest-version-of-Globus-Connect-Personal>
Let us know if you have any questions.
- Globus Dev Team