Описание
Security update for cacti, cacti-spine
This update for cacti, cacti-spine fixes the following issues:
-
cacti 1.2.27:
- CVE-2024-34340: Authentication Bypass when using using older password hashes (boo#1224240)
- CVE-2024-25641: RCE vulnerability when importing packages (boo#1224229)
- CVE-2024-31459: RCE vulnerability when plugins include files (boo#1224238)
- CVE-2024-31460: SQL Injection vulnerability when using tree rules through Automation API (boo#1224239)
- CVE-2024-29894: XSS vulnerability when using JavaScript based messaging API (boo#1224231)
- CVE-2024-31458: SQL Injection vulnerability when using form templates (boo#1224241)
- CVE-2024-31444: XSS vulnerability when reading tree rules with Automation API (boo#1224236)
- CVE-2024-31443: XSS vulnerability when managing data queries (boo#1224235)
- CVE-2024-31445: SQL Injection vulnerability when retrieving graphs using Automation API (boo#1224237)
- CVE-2024-27082: XSS vulnerability when managing trees (boo#1224230)
- Improve PHP 8.3 support
- When importing packages via command line, data source profile could not be selected
- When changing password, returning to previous page does not always work
- When using LDAP authentication the first time, warnings may appear in logs
- When editing/viewing devices, add IPv6 info to hostname tooltip
- Improve speed of polling when Boost is enabled
- Improve support for Half-Hour time zones
- When user session not found, device lists can be incorrectly returned
- On import, legacy templates may generate warnings
- Improve support for alternate locations of Ping
- Improve PHP 8.1 support for Installer
- Fix issues with number formatting
- Improve PHP 8.1 support when SpikeKill is run first time
- Improve PHP 8.1 support for SpikeKill
- When using Chinese to search for graphics, garbled characters appear.
- When importing templates, preview mode will not always load
- When remote poller is installed, MySQL TimeZone DB checks are not performed
- When Remote Poller installation completes, no finish button is shown
- Unauthorized agents should be recorded into logs
- Poller cache may not always update if hostname changes
- When using CMD poller, Failure and Recovery dates may have incorrect values
- Saving a Tree can cause the tree to become unpublished
- Web Basic Authentication does not record user logins
- When using Accent-based languages, translations may not work properly
- Fix automation expressions for device rules
- Improve PHP 8.1 Support during fresh install with boost
- Add a device 'enabled/disabled' indicator next to the graphs
- Notify the admin periodically when a remote data collector goes into heartbeat status
- Add template for Aruba Clearpass
- Add fliter/sort of Device Templates by Graph Templates
-
cacti-spine 1.2.27:
- Restore AES Support
Список пакетов
SUSE Package Hub 12
SUSE Package Hub 15 SP5
openSUSE Leap 15.5
Ссылки
- E-Mail link for openSUSE-SU-2024:0274-1
- SUSE Security Ratings
- SUSE Bug 1224229
- SUSE Bug 1224230
- SUSE Bug 1224231
- SUSE Bug 1224235
- SUSE Bug 1224236
- SUSE Bug 1224237
- SUSE Bug 1224238
- SUSE Bug 1224239
- SUSE Bug 1224240
- SUSE Bug 1224241
- SUSE CVE CVE-2024-25641 page
- SUSE CVE CVE-2024-27082 page
- SUSE CVE CVE-2024-29894 page
- SUSE CVE CVE-2024-31443 page
- SUSE CVE CVE-2024-31444 page
- SUSE CVE CVE-2024-31445 page
- SUSE CVE CVE-2024-31458 page
- SUSE CVE CVE-2024-31459 page
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue.
Затронутые продукты
Ссылки
- CVE-2024-25641
- SUSE Bug 1224229
Описание
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 are vulnerable to stored cross-site scripting, a type of cross-site scripting where malicious scripts are permanently stored on a target server and served to users who access a particular page. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-27082
- SUSE Bug 1224230
Описание
Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. `raise_message_javascript` from `lib/functions.php` now uses purify.js to fix CVE-2023-50250 (among others). However, it still generates the code out of unescaped PHP variables `$title` and `$header`. If those variables contain single quotes, they can be used to inject JavaScript code. An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings. Version 1.2.27 fixes this issue.
Затронутые продукты
Ссылки
- CVE-2024-29894
- SUSE Bug 1224231
Описание
Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31443
- SUSE Bug 1224235
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules_form_save()` function in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the HTML statement in `form_confirm()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31444
- SUSE Bug 1224236
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, a SQL injection vulnerability in `automation_get_new_graphs_sql` function of `api_automation.php` allows authenticated users to exploit these SQL injection vulnerabilities to perform privilege escalation and remote code execution. In `api_automation.php` line 856, the `get_request_var('filter')` is being concatenated into the SQL statement without any sanitization. In `api_automation.php` line 717, The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no filter for it. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31445
- SUSE Bug 1224237
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `form_save()` function in `graph_template_inputs.php` is not thoroughly checked and is used to concatenate the SQL statement in `draw_nontemplated_fields_graph_item()` function from `lib/html_form_templates.php` , finally resulting in SQL injection. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31458
- SUSE Bug 1224240
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, there is a file inclusion issue in the `lib/plugin.php` file. Combined with SQL injection vulnerabilities, remote code execution can be implemented. There is a file inclusion issue with the `api_plugin_hook()` function in the `lib/plugin.php` file, which reads the plugin_hooks and plugin_config tables in database. The read data is directly used to concatenate the file path which is used for file inclusion. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31459
- SUSE Bug 1224238
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()` function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-31460
- SUSE Bug 1224239
Описание
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-34340
- SUSE Bug 1224241