Forgot your password?
Document Actions
ESE-RFC-004 Security Alert Announcement
SPG Security Alert Announcement
Please note that ESE-RFC-004 "The Data Access Protocol - DAP 2.0" [1] describes a data access protocol that has been implemented in many different software packages [2]. One software package, "Server 3" (also known as the CGI Server Base Software) available from OPeNDAP.org [3] has a recently discovered security weakness as described in a message to the OPeNDAP Tech list [4]. The recommendation made by OPeNDAP.org is to immediately stop all Server 3 servers and to either patch the server or upgrade to "Server 4" (Hyrax).
Further information is available at US-CERT [5].
This security issue relates to functionality offered by the Server 3 software that is not directly related to the DAP protocol. The SPG does not have any evidence of similar security issues with other implementations of DAP.
The NASA ESDSWG SPG welcomes the rapid response made by the OPeNDAP team to investigate and publicize this issue.
Further announcements about this and other security issues can be found at US-CERT's Vulnerability Notes Database [6].
References:
- [1] http://www.esdswg.org/spg/rfc/ese-rfc-004/ESE-RFC-004v1.1.pdf
- [2] http://www.esdswg.org/spg/rfc/ese-rfc-004/ese-rfc-004-eouv0-02.pdf
- [3] http://opendap.org/download/index.html
- [4] http://www.unidata.ucar.edu/support/help/MailArchives/opendap-tech/msg00281.html
- [5] http://www.kb.cert.org/vuls/id/857153
- [6] http://www.kb.cert.org/vuls/
