[Halld-offline] [EXTERNAL] Fwd: Critical ROOT Security Issue

Shepherd, Matthew mashephe at indiana.edu
Sun Dec 3 15:23:01 EST 2023 

FYI -- I received this through another channel.  It may be of interest to this group.  The issue is with the web-based GUI for ROOT.  If you use the traditional TBrowser graphical interface then it does not apply.

Matt

Begin forwarded message:


Subject:        Critical ROOT Security Issue
Date:   Fri, 1 Dec 2023 22:34:40 +0000
From:   Zach Marshall <zach.marshall at cern.ch><mailto:zach.marshall at cern.ch>
To:     atlas-active-members (ATLAS Active Members Protection Group) <atlas-active-members at cern.ch><mailto:atlas-active-members at cern.ch>
CC:     David South <southd at mail.desy.de><mailto:southd at mail.desy.de>


Dear colleagues,

A critical security issue has been found affecting a number of ROOT versions [1,2]. Please update your local installations to the newest version as soon as possible. For older ATLAS software releases, please modify your ROOT environment to disable the relevant functionality [3]. The ATLAS setup command will issue a warning in case it detects an insecure environment [4].

Thank you for your help in ensuring the security of your and ATLAS’s resources.

Thank you also to the myriad people who assisted in quickly understanding and deploying these patches.

Cheers,
David and Zach


[1] https://urldefense.proofpoint.com/v2/url?u=https-3A__root.cern_about_security_-232023-2D11-2D26-2Dopen-2Dport-2Dfor-2Dcontrol-2Dof-2Dweb-2Dgui-2Dallows-2Dread-2Dand-2Dwrite-2Daccess-2Dto-2Dfile-2Dsystem&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=hm1LdwtY-yQWtIhrZqssCS77gAC6HcAblqzZQRtom5s&e= 
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__security.web.cern.ch_reports_en_monthly-5Freports_2023_2023-2D11.shtml&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=cEhYT5PWrjFY4jou7Uv4T_UVuhyr7iaBKoCwD0ub2QI&e= 
[3] https://urldefense.proofpoint.com/v2/url?u=https-3A__twiki.cern.ch_twiki_bin_viewauth_AtlasComputing_RootBrowserSecurityIssue&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=UsiRObPNUJlEVD2iu09VkjtBygw4hU7p32JEPxbweQQ&e= 
[4] The warning is as follows:

30 Nov 2023
A serious security issue in ROOT's web-based GUI has been identified:

You should not use the web-based browser until further notice and instead set the old-style TBrowser as the default. Please see the Twiki page linked below for instructions on how to do this.

https://urldefense.proofpoint.com/v2/url?u=https-3A__twiki.cern.ch_twiki_bin_view_AtlasComputing_RootBrowserSecurityIssue&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=EhutG7VH_ws6s5mM0BJqaFlojA7s7z5RqLqRBz37tE0&e= 

More details of this issue:
https://urldefense.proofpoint.com/v2/url?u=https-3A__root.cern_about_security_-232023-2D11-2D26-2Dopen-2Dport-2Dfor-2Dcontrol-2Dof-2Dweb-2Dgui-2Dallows-2Dread-2Dand-2Dwrite-2Daccess-2Dto-2Dfile-2Dsystem&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=hm1LdwtY-yQWtIhrZqssCS77gAC6HcAblqzZQRtom5s&e= 

Reason for this message: $HOME/.rootrc - has not set Browser.Name

============================================================

ATLAS Instructions for mitigating the issue if you must use the one of the affected ROOT versions:
Introduction
In November 2023 a serious security issue[https://urldefense.proofpoint.com/v2/url?u=https-3A__twiki.cern.ch_twiki_pub_TWiki_TWikiDocGraphics_external-2Dlink.gif&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=cSnZPlOa_iFJlULwbzTUgwL6wCQdUDv3oLDUUDVNfYQ&e= ]<https://urldefense.proofpoint.com/v2/url?u=https-3A__root.cern_about_security_-232023-2D11-2D26-2Dopen-2Dport-2Dfor-2Dcontrol-2Dof-2Dweb-2Dgui-2Dallows-2Dread-2Dand-2Dwrite-2Daccess-2Dto-2Dfile-2Dsystem&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=hm1LdwtY-yQWtIhrZqssCS77gAC6HcAblqzZQRtom5s&e= > was found in ROOT's web-based browser. The old-style TBrowser is unaffected, as is batch running (either as part of Athena/AnalysisBase or via root -b). Users must not use the web-based browser until further notice. Since the default setting in affected ROOT versions is to use this compromised feature, users must now take action to disable it in their environment.

NB: The ATLAS recommendation to not use the web-based browser is a more stringent recommendation than given by CERN IT here[https://urldefense.proofpoint.com/v2/url?u=https-3A__twiki.cern.ch_twiki_pub_TWiki_TWikiDocGraphics_external-2Dlink.gif&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=cSnZPlOa_iFJlULwbzTUgwL6wCQdUDv3oLDUUDVNfYQ&e= ]<https://urldefense.proofpoint.com/v2/url?u=https-3A__security.web.cern.ch_reports_en_monthly-5Freports_2023_2023-2D11.shtml&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=cEhYT5PWrjFY4jou7Uv4T_UVuhyr7iaBKoCwD0ub2QI&e= >. It was however arrived at in discussion with the ROOT developers and is in line with the recommendations from the ROOT team themselves. Applying the advertised changes to the "HttpLoopback" setting on top of disabling the web-based browser is of course also welcomed.

How to disable the web-based browser
Go to your home directory and set up ROOT/ATLAS software. Then:


cp $ROOTSYS/etc/system.rootrc .rootrc

Open this file and check whether you find the line:


Browser.Name:                ROOT::Experimental::RWebBrowserImp

If this line is present, change it to:

Browser.Name:                TRootBrowser

Save this change. Now, whenever you open ROOT, the old-style browser will become the default. If you already have a .rootrc file in your home directory, adding the Browser.Name setting should be sufficient.

If you installed ROOT using Homebrew

If you installed ROOT via Homebrew on your personal Mac laptop, the $ROOTSYS environment variable may not be set.

You can however find system.rootrc on the current path:

/opt/homebrew/Cellar/root/[6.X.Y]/etc/root/system.rootrc

Once the file is copied to $HOME/.rootrc the instructions above can be followed. (tested on Apple M1 Sonoma 14.1)


--
Fred Luehring Indiana U. HEP mailto:luehring at indiana.edu  +1 812 855 1025 IU
https://urldefense.proofpoint.com/v2/url?u=http-3A__cern.ch_Fred.Luehring&d=DwIGaQ&c=CJqEzB1piLOyyvZjb8YUQw&r=Te_hCR4EUlJ6iCDYLJ8Viv2aDOR7D9ZZMoBAvf2H0M4&m=Ud8aIWX80xKCsy_o_h4o7lrjhwecN8ZmEtTv39v4ynmqsAyUpMdLndPEOa4qSoXL&s=63qtmWXQe02HS2E5QR2dCjoYrPnu9D2mrXx37BdQZ48&e=  mailto:Fred.Luehring at cern.ch +41 22 767 1166 CERN

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/halld-offline/attachments/20231203/caf9912f/attachment-0001.html>

More information about the Halld-offline mailing list