TWiki>
LCG Web>WLCGCommonComputingReadinessChallenges>WLCGOperationsWeb>WLCGOpsCoordination>NetworkTransferMetrics>JowPingperfSONAR (2014-07-18, ShawnMcKee)
EditAttachPDF
LCG Web>WLCGCommonComputingReadinessChallenges>WLCGOperationsWeb>WLCGOpsCoordination>NetworkTransferMetrics>JowPingperfSONAR (2014-07-18, ShawnMcKee) EditAttachPDFCross-scripting Vulnerability in JOWPING (perf of perfSONAR-PS Toolkit) Details.
OWPING, a java client for the OWAMP measurement tool, has been found to be vulnerable to a form of cross site scripting involving manipulation of HTTP headers. The perfSONAR-PS Toolkit developer's analysis has found that chance of exploit is remote (e.g. cannot be done with simple URL manipulation or Javascript), but warrants action by the toolkit deployers. The recommendation is that sites with concerns remove JOWPING from their servers using the following command:> sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
This will result in a broken link on the left sidebar, but removes the software and the risk. A recent update to the 3.3.x series of the pS Performance Toolkit removed JOWPING completely, and this tool was already earmarked to not be present on the upcoming 3.4 release due to lack of a maintainer.
The development team would like to thank John Parker from NOAA, who found this vulnerability through routine use of the skipfish tool (http://code.google.com/p/skipfish
). Feel free to relay any questions or concerns you have to the developers.
). Feel free to relay any questions or concerns you have to the developers.Thanks;
The perfSONAR Development Team
The versions below (or more recent) have removed JOWPING and are not vulnerable:
-- ShawnMcKee - 18 Jul 2014
perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.3.2-17.pSPS.noarch perl-perfSONAR_PS-Toolkit-3.3.2-17.pSPS.noarch perl-perfSONAR_PS-Toolkit-LiveCD-3.3.2-17.pSPS.noarch
Problem Remediation
The RPMS listed in the previous section address the issue. For our recommended netinstall (installation onto local disk) sites should 'yum update'. This is as simple as:yum -y update rebootFor sites running from CD or USB, this is not yet a new image out with the fix (as of 18-July-2014). Instead you can remove jowping via:
sudo rm -rf /opt/perfsonar_ps/toolkit/web/root/gui/jowping/
References
See perfSONAR mailing lists for announcement of the issue and remediation: http://comments.gmane.org/gmane.comp.networking.perfsonar.user/748
-- ShawnMcKee - 18 Jul 2014 Edit | Attach | Topic revision: r1 - 2014-07-18 - ShawnMcKee
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback