Stuart Martin
2015-07-09 20:31:28 UTC
Hi All,
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the vulnerability described in CVE-2015-1793 <https://www.openssl.org/news/secadv_20150709.txt> . We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/95308587 <https://support.globus.org/entries/95308587>
Our assessment is that the severity of this vulnerability is extremely low. Only OpenSSL versions released since June 2015 (specifically, versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) are affected by this vulnerability.
Neither the Globus website, running services, nor software downloads use the vulnerable versions of OpenSSL.
Globus Toolkit clients and services may be vulnerable when used with an affected version of OpenSSL, though we are unaware of an attack vector. However, the currently supported platforms have not updated to the affected versions of OpenSSL. Additionally, the versions of openssl distributed with Globus Connect Personal are not affected.
Actions We Have Taken to Close Attack Vector
None. No action were required.
Recommended Actions for Globus Users and Administrators
We recommend any host with Globus services (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) to review their host configuration and apply the advised OpenSSL updates if necessary.
Note: This is unlikely, as most major Linux distributions have not released an OpenSSL update since before June 2015.
Let us know if you have any questions.
- Globus Dev Team
The Globus dev team has reviewed all Globus services and Globus Toolkit components to determine the impact of the vulnerability described in CVE-2015-1793 <https://www.openssl.org/news/secadv_20150709.txt> . We have created a page where details about this issue will be communicated.
https://support.globus.org/entries/95308587 <https://support.globus.org/entries/95308587>
Our assessment is that the severity of this vulnerability is extremely low. Only OpenSSL versions released since June 2015 (specifically, versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o) are affected by this vulnerability.
Neither the Globus website, running services, nor software downloads use the vulnerable versions of OpenSSL.
Globus Toolkit clients and services may be vulnerable when used with an affected version of OpenSSL, though we are unaware of an attack vector. However, the currently supported platforms have not updated to the affected versions of OpenSSL. Additionally, the versions of openssl distributed with Globus Connect Personal are not affected.
Actions We Have Taken to Close Attack Vector
None. No action were required.
Recommended Actions for Globus Users and Administrators
We recommend any host with Globus services (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) to review their host configuration and apply the advised OpenSSL updates if necessary.
Note: This is unlikely, as most major Linux distributions have not released an OpenSSL update since before June 2015.
Let us know if you have any questions.
- Globus Dev Team