ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sumit Mohanty (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-1934) Security vulnerability with Ganglia and Nagios
Date Mon, 15 Apr 2013 16:56:15 GMT
Sumit Mohanty created AMBARI-1934:
-------------------------------------

             Summary: Security vulnerability with Ganglia and Nagios
                 Key: AMBARI-1934
                 URL: https://issues.apache.org/jira/browse/AMBARI-1934
             Project: Ambari
          Issue Type: Bug
    Affects Versions: 1.3.0
            Reporter: Sumit Mohanty
            Assignee: Sumit Mohanty
             Fix For: 1.3.0


Ganglia Issue : 
Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary
PHP code via unknown attack vectors. 

http://ganglia.info/?p=549 

Ganglia Web 3.5.1 Release – Security Advisory 
There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary
script being executed with web user privileges possibly leading to a machine compromise. Issue
has been fixed in the latest version of Ganglia Web which can be downloaded from https://sourceforge.net/projects/ganglia/files/ganglia-web/3.5.1/


Solution: 
Need to get upgraded rpms with the Ganglia Web version 3.5.7 which has the fix for this vulnerability.

Nagios: 
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios
Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4,
might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host
parameter) or (2) svc_description variable. 

http://www.nagios.org/projects/nagioscore/history/core-3x 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html 

Vulnerable software and versions - nagios:nagios:3.4.3 and previous versions 


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message