OpenSim customers that use Diva Distro version of OpenSim or its Diva Wifi website interface screen, as in the image above, should install the latest security patch to the software to seal a vulnerability that could render their grids susceptible to crashing.
The Diva Distro software is almost as old as OpenSim itself. It was first released in 2009 primarily out of the desire to make it easy to use OpenSim for education and not to provide a production-ready web-interface for public grids. The Wifi feature was added in 2010 by OpenSim core developer and hypergrid inventor Crista Lopes, also known as “Diva Canto.” Lopes is a professor of informatics at University of California, Irvine. You can follow her on Twitter at @divacanto.
By default, the Diva Distro creates a four-region OpenSim minigrid. Despite being not production-ready web-interface for public grids, it used to be the most popular way to create quick home-based OpenSim grids before the DreamGrid distribution was released. Nevertheless, development of DivaWifi still continues to make it more suitable for securely creating and running public grids.
The new security patch removes an attack vector in the web server created by recursive code paths, which had the potential to cause a crash, said Zetamex Network CEO Vincent Sylvester, who wrote and tested the patch.
“Those running Wifi need to compile or receive new binaries to patch their systems as this is just a merge of the codebase without a direct binary release,” he told Hypergrid Business. “The vast majority do not compile Wifi themselves or maintain a development copy of OpenSim so it will take a while for this change to make it onto grids out there.”
People running Diva Wifi can also set up a service for the Robust instance running Wifi, to make sure it is restarted if at all it crashes. This can be done both on Linux and Windows with some knowledge on how to set up the service right, he said.
“On Linux, systemctl offers fairly simple setups for creating custom services, with the biggest trouble getting it to recognize the specific Robust instance,” said Sylvester. “On Windows, it is a bit more complicated in setup, but works via internal pointers so it generally keeps good track of the process itself.”
The Diva Distro software is a lightweight, easy and quick-to-use way to create small home-based OpenSim grids, and its Wifi interface is an easy alternative to having a full grid website. Some bigger grids use the Wifi interface as part of a bigger site, however, to provide stats and handle user registration.
‘The exploit has been used over the past few months to attack many grids,” said AviWorlds CEO Josh Boam, who first reported the problem to Hypergrid Business. The exploit can cause a grid to crash and requires the grid owners to restart it. However, it doesn’t do anything else more damaging, such as expose user data or provide access to internal systems. Still, it can cause unnecessary downtime.
Most larger grids either use their own code, or are already patched against the problem.
Kitely does not use Diva Wifi, for instance, but has its own grid management, said Kitely CEO Ilan Tochner.
Beckhusen also submitted his fix to the Diva Distro project a year ago.