The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists (see below).
We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:
- OpenSSL, OpenSSH, and Globus project and security announcements
- US-CERT advisories
- XSEDE announcements
- RHEL/EPEL advisories
- REN-ISAC Alerts and Advisories
- Social media, such as Twitter, and Reddit (/r/netsec and /r/security)
- News sources, such as The Hacker News, Threatpost, The Register, Naked Security, Slashdot, Krebs, SANS Internet Storm Center and Schneier
In 3Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:
- L1 Terminal Fault (L1TF) or Foreshadow (CVE-2018-3620/CVE-2018-3646)
- Apache Struts Vulnerability (CVE-2018-11776)
- OpenAFS Multiple Vulnerabilities (CVE-2018-16947, CVE-2018-16948, CVE-2018-16949)
- Red Hat Local Privilege Escalation or Mutagen Astronomy (CVE-2018-14634)
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.
If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.