January 28, 2015 | Vas Vasiliadis

We are aware of the announced vulnerability described in CVE-2015-0235 (GHOST). We have investigated the issue and will continue to monitor our systems. Our assessment and mitigating actions are described in our support forum, and we will update this forum post with more detail as necessary. Our risk assessment and recommended actions are summarized below.

Risk Assessment

Our assessment is that the Globus service and the Globus Toolkit are not vulnerable to currently known exploits resulting from this vulnerability. In short, programs using the gethostbyname*() functions could be at risk, but the conditions under which known exploits could result in any material damage are highly unlikely.

Actions We Have Taken to Close Attack Vector

As of 1/27 3:20pm CDT, we have applied the recommended patches and restarted impacted globus.org systems.

Recommended Actions for Globus Users and Administrators

We recommend any host running Globus services (e.g. Globus Connect Personal, Globus Connect Server, GridFTP, MyProxy, GSI-OpenSSH, GRAM) apply the advised updates as soon as possible. Please consult your software vendor for the latest updates.