OSG-SEC-2022-02-17 CRITICAL ALERT ACTION REQUIRED xcache image purge notification

Dear Security and Sysadmin contacts,

A CRITICAL security flaw was detected in OSG XCache images published in DockerHub [1] and OSG’s Harbor [2] which could compromise the integrity and confidentiality of data on other containers for all varieties of XCache and XRootD standalone.

To mitigate this flaw, the OSG software team has pushed new images to DockerHub and will be purging all images prior to February 16, 2022.

What this means for you

You will need to update to the latest image and restart all affected containers by the end of Feb 17, 2022. Containers running images older than 2/16/22 are considered vulnerable and may no longer function as expected.

To download the latest image:

docker pull opensciencegrid/:release

Where is one of [1]: atlas-xcache cms-xcache stash-cache stash-origin xcache xrootd-standalone

Reference Links

[1] https://hub.docker.com/r/opensciencegrid/atlas-xcache

https://hub.docker.com/r/opensciencegrid/cms-xcache

https://hub.docker.com/r/opensciencegrid/stash-cache

https://hub.docker.com/r/opensciencegrid/stash-origin

https://hub.docker.com/r/opensciencegrid/xcache

https://hub.docker.com/r/opensciencegrid/xroot-standalone

[2] https://hub.opensciencegrid.org/harbor/projects/4/repositories/atlas-xcache

https://hub.opensciencegrid.org/harbor/projects/4/repositories/cms-xcache

https://hub.opensciencegrid.org/harbor/projects/4/repositories/stash-cache

https://hub.opensciencegrid.org/harbor/projects/4/repositories/stash-origin

https://hub.opensciencegrid.org/harbor/projects/4/repositories/xcache

https://hub.opensciencegrid.org/harbor/projects/4/repositories/xrootd-standalone

If you have any questions, please contact [email protected]

Sincerely, OSG Security Team