E-mail title - as Title.) 

(Make Title short - so good for an e-mail title) 

(Repeat title without ID in text of mail)

(Only send during working hours for most of Europe.  Exception some CRITICAL advisories. )

(Date and Updated not in e-mail - only for web)

(Make lines no more than 78 chars UNLESS url, title, or other good reason.)

(4 Options)

(‘HEADS UP’ – Sites may be asked to do something urgently soon. 
       Usually only for vulnerabilities which may be a ‘Critical’)
       
(‘ADVISORY’ – Sites normally instructed to do something
    The Commonest type of mail, e.g. update when vulnerability fixed in software.)
(‘ALERT’ – Sites should be aware
This may be important to you, you may want to take action. Often ask for feedback
e.g. If any site is aware that any of these or other vulnerabilities presents a serious problem to EGI, please inform the EGI SVG.)
(‘INFORMATION’ – to inform sites of something
E.g. if a well talked about vulnerability is not relevant.)
(Make lines 78 characters or less, unless good reason for longer lines such as URLs.)

<add or delete sections as needed>
<add any information required, template is to help, not rigid>
 

Title:    'HEADS UP'/'ADVISORY'/'ALERT'/'INFORMATION' [TLP:<Choose TLP colour>] <RISK> risk <short title of issue/e-mail > [EGI-SVG-<year>-<NN>]

Date:        <date  yyyy-mm-dd> <1st released>
Updated:     <date  yyyy-mm-dd>

<include title without id in the body of txt of e-mail>

<CRITICAL/HIGH/MODERATE/LOW> risk vulnerability/vulnerabilities concerning <software/package>  <full sentence normally - can be longer than title. Include basic versions, e.g. which versions of RedHat.> 


## IDs AND CVSS SCORE      

EGI SVG ID : EGI-SVG-<year>-<nn>
    
CVE ID     : <Include CVE's if present>

CVSS Score : <If available - and include source and reference>
    
## AFFECTED SOFTWARE AND VERSIONS
    
 (include this optional section if detailed version information is available and helpful.) 

## ACTIONS REQUIRED/RECOMMENDED

(as appropriate e.g. for Critical)

(Sites running xxx are required to urgently apply vendor kernel updates.)
 
(Sites running yyy are required to urgently install new version)

(Sites running distributions where a patched version is not available yet are strongly recommended to carry out mitigation, unless this disables functionality required.>

(Sites are required to immediately apply the mitigation described below to all user-accessible systems.)

(For critical) All running resources MUST be either patched or have mitigation
in place or software removed by yyyy-mm-dd  00:00 UTC 

Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. 

(7 calendar days - plus whatever it takes to get to 00:00 - but if the date falls on a Friday or 
common public holiday, make it the first working day after people are expected back)
    
(<e.g. for High)

(Sites are recommended to update relevant components as soon as possible.)

(If high and may become critical)

(Sites should be aware that if a public exploit is released which allows easy root access in the EGI infrastructure this vulnerability is likely to be elevated to 'Critical' and sites will then be required to patch or have mitigation in place within 7 days or risk suspension. )

(Mostly for 'Alert' - If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure then please inform EGI SVG.)

## COMPONENT INSTALLATION INFORMATION
    
(this section (heading) may be ommitted/merged with upper if no detailed instructions are needed.) 
   

Sites should update the relevant components using the RedHat or other vendor updates.

See references below for further information 


OR

(In case of UMD - although only a small fraction of our advisories now refer to UMD software) 
The official repository for the distribution of grid middleware for EGI sites is 
repository.egi.eu which contains the EGI Unified Middleware Distribution (UMD). 
 
Sites using the EGI UMD 4 should see:

https://repository.egi.eu/

(e.g. pointer to UMD release)

OR 

(References/description to appropriate other software.) 


## MITIGATION

(If appropriate - Describe mitigation to carry out - this may be to run a script)

(If possible, include either a script and/or include command lines)

(Or refer to vendors mitigation instructions.) 


## MORE INFORMATION

(As required>  <usually a paragraph describing the issue)

(In particular, if we EGI SVG have elevated the risk due to the way in which the software is used in EGI explain why)
    
## STATUS OF THIS ADVISORY
    
(Choose proper TLP color)

_TLP:CLEAR information - Unlimited distribution_
                   
or 

_TLP:GREEN information - Community Wide distribution_

or
                        
_TLP:AMBER information - Limited distribution_ 

or

_TLP:RED information - Personal for Named Recipients Only 
    - do not redistribute without permission of SVG_ 

    
(Put on Web for [CLEAR] information only)

(If not public and High or Critical) - This advisory will be made public on or after yyyy-mm-dd  at  https://advisories.egi.eu/Advisory-EGI-SVG-<year>-<NN> (4 weeks later). 

 (possibly also the alt with CVE) https://advisories.egi.eu/Advisory-SVG-<CVE> as irtf use it


Minor updates may be made without re-distribution to the sites.


## CONTACT AND OTHER INFORMATION ON SVG

(delete as appropriate)
    
For [WHITE] information:--

-----------------------------
This advisory is subject to the Creative commons licence 
https://creativecommons.org/licenses/by/4.0/ and the EGI 
https://www.egi.eu/ Software Vulnerability Group must be credited. 
-----------------------------

For [GREEN] and [AMBER] information:-- 

-----------------------------
Others may re-use this information provided they:-

1) Respect the provided TLP classification

2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group
------------------------------

    
Comments or questions should be sent to
    svg-rat at mailman.egi.eu

Vulnerabilities relevant for EGI can be reported at
    report-vulnerability at egi.eu
    
(see [R 99] for further details, and other information on SVG)
    
    
## REFERENCES

(Any references to the vulnerability)
(refer to any public disclosure)
(e.g. Linux vendors info)
(any other info on the problem)

(Useful skeletons)

- [R 1] <https://nvd.nist.gov/vuln/detail/CVE-2023-nnnn

- [R 2] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-nnnn>
     
- [R 3] <https://www.cve.org/CVERecord?id=CVE-2023-nnnn>

- [R 4] <https://access.redhat.com/security/cve/CVE-2023-nnnn>

- [R 5] <https://www.scientificlinux.org/category/sl-errata/>

- [R 6] <https://lists.centos.org/pipermail/centos-announce/>

- [R 7] <https://security-tracker.debian.org/tracker/CVE-2023-nnnn
    
- [R 8] https://ubuntu.com/security/CVE-2023-nnnn></Include>

- [R 9] <https://errata.build.resf.org/>   (RockyLinux)

- [R 10]  <https://errata.almalinux.org/>  (AlmaLinux)

(Or link to UMD repository)
- <https://repository.egi.eu/>

(Or anything else)

- [R 99] <https://confluence.egi.eu/display/EGIBG/SVG+Advisories>

## CREDITS

This vulnerability was reported by (if applicable - person who discovers vulnerability) ( only on web page.)


  • No labels