=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN260
_____________________________________________________________________

DATE                      : 25/05/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running the OPeNDAP server version 4.

======================================================================
http://www.kb.cert.org/vuls/id/659148
http://www.kb.cert.org/vuls/id/671028
______________________________________________________________________

Vulnerability Note VU#659148

OPeNDAP arbitrary command execution vulnerability

Overview

The BES daemon in OPeNDAP server version 4 contains a vulnerability. This
vulnerability may allow an attacker to execute arbitrary commands, or upload
files to a remote server.


I. Description

OPeNDAP is a software package designed to help researchers exchange data sets
that are stored in different formats. The most recent version of OPeNDAP is
server 4, or Hyrax. The Hyrax server includes a daemon called BES.


 From the BES download page:


       BES is a new, high-performance back-end server software framework that
allows data providers more flexibility in providing end users views of their
data. The current OPeNDAP data objects (DAS, DDS, and DataDDS) are still
supported, but now data providers can add new data views, provide new
functionality, and new features to their end users through the BES modular
design. Providers can add new data handlers, new data objects/views, the ability
to define views with constraints and aggregation, the ability to add reporting
mechanisms, initialization hooks, and more.

The BES server improperly sanitizes data supplied in compressed files. An
attacker may be able to exploit this vulnerability by sending a specially
crafted compressed file to a vulnerable server.


II. Impact

An attacker to execute arbitrary commands on a vulnerable server.


III. Solution


Upgrade

BES 3.5.0 has been released to address this issue. Administrators are encouraged
to upgrade as soon as possible.

Restrict access

Limiting network access to the BES daemon may prevent a remote attacker from
exploiting this vulnerability. See BES installation guide for more details.


Systems Affected

Vendor	        Status	         Date Updated
OPeNDAP, Inc.   Vulnerable       18-May-2007


References

http://www.opendap.org/download/BES.html
http://www.opendap.org/security.html
http://docs.opendap.org/index.php/Hyrax_1.2:_BES_Installation#Install
http://secunia.com/advisories/25319/


Credit

Thanks to NCIRT labs for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information


Date Public             05/14/2007
Date First Published    05/18/2007 03:10:42 PM
Date Last Updated       05/21/2007
CERT Advisory	
CVE Name	
Metric                  2.42
Document Revision       16

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.

________________________________________________________________________

Vulnerability Note VU#671028

OPeNDAP filesystem enumeration vulnerability

Overview


The OPeNDAP server version 4 contains a file enumeration vulnerability. This
vulnerability may allow an attacker to enumerate filesystem contents.


I. Description

OPeNDAP is a software package designed to help researchers exchange data sets
that are stored in different formats. The most recent version of OPeNDAP is
server 4, or Hyrax.

 From the Hyrax download page:

Hyrax is the next generation server from OPeNDAP. It utilizes a modular design
  that employs a light weight Java servlet (aka OLFS) to provide the
public-accessible client interface, and a back-end daemon, the BES to handle the
  heavy lifting. The BES uses the same handlers that are used with Server3 (also
know as the CGI Server) but loads those at run time.

The Hyrax server may allow users to enumerate the server's filesystem contents.


II. Impact

A remote, unauthenticated attacker may be able to view the contents of the 
server's filesystem.


III. Solution

Upgrade

The OpenDAP team has released an update, BES 3.5.0, to address this issue.
  Administrators are encouraged to upgrade as soon as possible.


Systems Affected

Vendor          Status          Date Updated
OPeNDAP, Inc.   Vulnerable      18-May-2007


References

http://www.opendap.org/security.html
http://www.opendap.org/download/hyrax.html
http://secunia.com/advisories/25319/


Credit

Thanks to NCIRT labs for reporting this vulnerability.

This document was written by Ryan Giobbi.


Other Information

Date Public             05/14/2007
Date First Published    05/18/2007 03:11:30 PM
Date Last Updated       05/21/2007
CERT Advisory	
CVE Name	
Metric                  0.13
Document Revision       18

If you have feedback, comments, or additional information about this 
vulnerability, please send us email.


======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================