OSCT Advisory Template

The exact content of an advisory will vary depending on the nature of the vulnerability but the following can be used as a template for construction. (This may be modified depending on the format of the GSVG advisory received.)

(Mail Subject of the form: [Advisory type] Description)

(Introduction)

(Summary including reference to reporting entity and timeline to discosure)

(GSVG reference and rating)

(Brief explanation of the risk)

(Status and timeline of availability of patches)

(Recommendation for action if any)

(Signature)

Dear Site Admins and Security Contacts,

The EGEE/LCG Grid Security Vulnerability Group (GSVG) and the Operational Security Coordination Team (OSCT)
 were made aware on <date> of a security vulnerability in <description of software and versions affected>. 
Details of this vulnerability were reported by <details of the reporter>.

The vulnerability has been assigned GSVG bug #<GSVG reference number> and rated  
<select from: LOW|MEDIUM|HIGH|EXTREMELY CRITICAL>

Further details of the GSVG rating system are available here: <supply GSVG link>

Exploiting the vulnerability allows <brief details NOT including method of exploit>.

A patch is expected to be available from <who> before <date and time>.

Sites running vulnerable version of this software are recommended to <do something or not>

Regards,
<who> on behalf of the Operational Security Coordination Team.

SUBJECT: [HEADS UP] Torque/OpenPBS local root privilege escalation vulnerability

Dear Site Admins and Security Contacts,

The Grid Security Vulnerability Group (GSVG) and the Operational Security Coordination Team (OSCT) 
have been made aware this morning of a security flaw affecting Torque/OpenPBS, which was initially 
published on BugTraq on Wed, 18 Oct 2006 23:45:

http://csirt.fe.up.pt/docs/TORQUE-audit.pdf

The vulnerability is being handled by GSVG (bug #20883). It has been confirmed and has been 
rated EXTREMELY CRITICAL. 

The vulnerability allows a local user of the batch system to obtain root privileges and a trivial exploit has 
been published.

A patch has been built and in currently being tested and certified. At present we expect a patch to be 
available today and an update will be published at latest 18:00 UTC.

Sites are responsible for making their own assessment of risk based on local policy and conditions but 
the OSCT currently recommends to temporarlily close batch queues to new jobs pending 
availability of more information.

Regards,
John Smith on behalf of the Operational Security Coordination Team.