製品・ソフトウェアに関する情報

JVN脆弱性詳細

Globus Toolkit で使用される MyProxy におけるサーバを偽装される脆弱性

Title	Globus Toolkit で使用される MyProxy におけるサーバを偽装される脆弱性
Summary	Globus Toolkit で使用される MyProxy は、ホスト名または X.509 証明書内の識別子を適切に検証しないため、サーバを偽装される、および中間者攻撃を誘発する脆弱性が存在します。
Possible impacts	第三者により、myproxy-logon または myproxy-get-delegation を実行する際、巧妙に細工された証明書を介して、サーバを偽装される、および中間者攻撃を誘発される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 18, 2011, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

Globus

Globus Toolkit 5.0.0 から 5.0.2

ncsa

myproxy 5.0 から 5.2

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-0738	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0738
National Vulnerability Database (NVD)
2	CVE-2011-0738	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0738

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Globus
1	Welcome to the Globus Toolkit Homepage	http://www.globus.org/toolkit/
ncsa
2	Globus Security Advisory 2011-01	http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-0738

Summary	MyProxy 5.0 through 5.2, as used in Globus Toolkit 5.0.0 through 5.0.2, does not properly verify the (1) hostname or (2) identity in the X.509 certificate for the myproxy-server, which allows remote attackers to spoof the server and conduct man-in-the-middle (MITM) attacks via a crafted certificate when executing (a) myproxy-logon or (b) myproxy-get-delegation.
Publication Date	Feb. 2, 2011, 10 a.m.
Registration Date	Jan. 28, 2021, 4:37 p.m.
Last Update	Nov. 21, 2024, 10:24 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt	Vendor Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053461.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053473.html
4	http://lists.globus.org/pipermail/security-announce/2011-January/000018.html	Patch
5	http://osvdb.org/70494
6	http://secunia.com/advisories/42972	Vendor Advisory
7	http://secunia.com/advisories/43103	Vendor Advisory
8	http://www.securityfocus.com/bid/45916
9	http://www.vupen.com/english/advisories/2011/0227
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/64830
11	http://grid.ncsa.illinois.edu/myproxy/security/myproxy-adv-2011-01.txt	Vendor Advisory
12	https://exchange.xforce.ibmcloud.com/vulnerabilities/64830
13	http://www.vupen.com/english/advisories/2011/0227
14	http://www.securityfocus.com/bid/45916
15	http://secunia.com/advisories/43103	Vendor Advisory
16	http://secunia.com/advisories/42972	Vendor Advisory
17	http://osvdb.org/70494
18	http://lists.globus.org/pipermail/security-announce/2011-January/000018.html	Patch
19	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053473.html
20	http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053461.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html