Blog

On Saturday, March 21, 2015, starting at 10:00am CDT, the Globus service will undergo a significant upgrade. We will be making changes to the underlying services used for managing user identities and groups. While we are deploying these changes into our production environment, the Globus service will not be available. We expect that the upgrade will be completed within 4 hours, and the service should be fully operational by approximately 2pm CDT.

We are aware of the announced vulnerability described in CVE-2015-0235 (GHOST). We have investigated the issue and will continue to monitor our systems. Our assessment and mitigating actions are described in our support forum, and we will update this forum post with more detail as necessary. Our risk assessment and recommended actions are summarized below.

We continue to extend the file operations supported by the Globus web interface. The Transfer Files page of the Globus web interface now lets you rename files and folders. This capability was previously available via the command line interface and was just added to the Globus web interface.

On Monday, December 8, 2014 we'll be updating the Globus file transfer service. As part of this update we're adding another IP address to the service that executes file transfer requests. The majority of our users will see no difference, and any active file transfers will continue without interruption. However, if you have endpoints behind a firewall with tight inbound rules explicitly identifying Globus machines, you will need to update these rules to allow the new IP addresses, otherwise file transfer requests to/from endpoints behind that firewall will fail.

Our first implementation for transferring files to/from Amazon S3 endpoints (buckets) was a good proof of concept but performance was, at best, average. In our latest release, we’ve upped the stakes significantly and used multiple techniques to improve performance: (1) using parallel TCP file streams, (2) quickly retrying on transient faults, and (3) using multipart-upload only for files greater than 100MB.

On Wednesday, October 14th, a new vulnerability (CVE-2014-3566) was announced in the SSLv3 protocol.

We recently changed the policies that govern access to certain Globus features. These changes are informed by our experiences in offering paid subscriptions to researchers and resource providers over the past ~2 years. Here's what's changing:

On Wednesday, September 24th, a new vulnerability (CVE-2014-6271) was announced in the widely used GNU Bourne Again shell and command language interpreter (aka Bash), which is the default shell for Red Hat Enterprise Linux, among others.

On Thursday, June 5th, a new OpenSSL vulnerability (CCS Injection Vulnerability) was announced.  After its announcement, we reviewed the severity and impact to Globus services, partner services and users. Soon thereafter, we posted details in our support forum, with continuing updates as we learn more. Overall, our assessment for the severity of the impact for this issue is low. The forum post does include

We are happy to announce that the Globus user of the month for May 2014 is Robert Edwards, a staff scientist in the Theory Group at Jefferson Lab, a Department of Energy Nuclear Physics experimental facility. 

Here he tells us about the work he’s doing, and how Globus helps him do it: