Correction. Below is the correct forum link for this issue. > On Jun 9, 2015, at 10:30 AM, Stuart Martin <[email protected]> wrote: > > Hi All, > > The Globus dev team has reviewed all Globus services and Globus Toolkit > components to determine the impact of the "logjam" vulnerability described in > CVE-2015-4000 > <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000>. We have > created a page where details about this issue will be communicated. >
https://support.globus.org/entries/94083138 > > Our assessment is that there is a vulnerability for the Globus Toolkit > GridFTP and MyProxy components. At present, these components do not prevent > the use of export ciphers for secure communication. The exploit would > require a multi-step compromise on a network connection that would allow a > man-in-the-middle attack. This would be difficult to achieve but, since a > compromise is possible, we encourage all GridFTP and MyProxy services to be > updated as soon as possible. > > For GSI-OpenSSH, we believe the impact is mitigated by the fact that the GSI > parts are protected inside the SSH protocol. Details from the OpenSSH > developers can be read here > <http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/033896.html>. > > GRAM is not impacted because it does not use ciphers for secure communication. > Actions We Have Taken to Close Attack Vector > An enhancement (GT-596 <https://globus.atlassian.net/browse/GT-596>) has been > implemented and made available for update for GT 6 and GT 5.2.5. > The enhancement allows for an admin to set a specific cipher set to be used > for all Globus Toolkit components. > The default ciphers configured for Globus Toolkit components will be the > OpenSSL defined “HIGH” ciphers. > Documentation for the new configuration file is included in the GSIC admin > guide > <http://toolkit.globus.org/toolkit/docs/6.0/gsic/admin/#gsic-configuring-global-security-parameters> > Recommended Actions for Globus Users and Administrators > GridFTP Administrators > Upgrading to the latest GT 6 > <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 > <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages > should be done ASAP. > MyProxy Administrators > Upgrading to the latest GT 6 > <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> or GT 5.2.5 > <http://toolkit.globus.org/toolkit/advisories.html?version=5.2.5> packages > should be done ASAP. > GSI-OpenSSH Administrators > No action is needed at this time. > However, we encourage upgrading to the latest GT 6 > <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a > precaution. > GRAM Administrators > No action is needed at this time. > However, we encourage upgrading to the latest GT 6 > <http://toolkit.globus.org/toolkit/advisories.html?version=6.0> packages as a > precaution. > Globus Connect Server Administrators > Upgrading to the latest version ASAP using your operating system’s package > manager, e.g. yum update, apt-get update/upgrade, etc. > Globus Connect Personal users > Upgrading to the latest version should be done ASAP. > Update steps > <https://support.globus.org/entries/94287798-Updating-to-the-latest-version-of-Globus-Connect-Personal> > > > Let us know if you have any questions. > > - Globus Dev Team
