Skip to Content.
Sympa Menu

perfsonar-announce - cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709)

Subject: perfSONAR Announcements

List archive

cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709)


Chronological Thread 
  • From: Jason Zurawski <>
  • To: "" <>, perfsonar-announce <>
  • Cc: "" <>
  • Subject: cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709)
  • Date: Mon, 14 Apr 2014 22:55:31 -0400

Greetings;

The perfSONAR project was made aware of two CVEs related to the cacti
software. More information is available by following these links:

https://access.redhat.com/security/cve/CVE-2014-2708
https://access.redhat.com/security/cve/CVE-2014-2709

Users who have concerns about these bugs, in the interim before we can make a
fix available, can apply the following changes to their nodes to prevent
un-authenticated access to the data that cacti is collecting. Note this
change works for both netinstall and live cd instances (and will survive a
reboot):

1) As sudo or root user, edit //etc/httpd/conf.d/apache-toolkit_web_gui.conf

2) Add this line (anywhere) in the file:

> RewriteRule ^/toolkit/gui/cacti(.*)
> https://%{SERVER_NAME}/toolkit/admin/cacti$1 [R,L]

3) Restart apache (sudo /etc/init.d/httpd restart)

We will be working to create a patched version of cacti, and will advise when
a new package is available from our repositories for netinstall users. There
are no plans to create a new LiveCD/LiveUSB image due to the specific use
case that cacti presents, as well as the availability of a workaround listed
above.

Please relay any questions or concerns you may have to the developers mailing
list
();

-jason




Archive powered by MHonArc 2.6.16.

Top of Page