We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.
Some of the sources we monitor for possible threats to CI include:
- OpenSSL, OpenSSH, and Globus project and security announcements
- US-CERT advisories
- XSEDE announcements
- RHEL/EPEL advisories
- REN-ISAC Alerts and Advisories
- Social media, such as Twitter, Reddit (/r/netsec and /r/security), and LinkedIn
- News sources, such as The Hacker News, ARS Technica, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center, Paul’s Security Weekly and Schneier
In 1Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 91 subscribers:
- Spectre/Meltdown Attacks (CVE-2017-5715/CVE-2017-5753/CVE-2017-5754)
- Shibboleth SP software vulnerable to forged user attribute data (CVE-2018-0486)
- SAML Vulnerabilities in Shibboleth SP Implementations (CVE-2018-0489)
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.
If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.
