perfsonar-announce - cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709)
Subject: perfSONAR Announcements
List archive
- From: Jason Zurawski <>
- To: "" <>, perfsonar-announce <>
- Cc: "" <>
- Subject: cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709)
- Date: Mon, 14 Apr 2014 22:55:31 -0400
Greetings;
The perfSONAR project was made aware of two CVEs related to the cacti
software. More information is available by following these links:
https://access.redhat.com/security/cve/CVE-2014-2708
https://access.redhat.com/security/cve/CVE-2014-2709
Users who have concerns about these bugs, in the interim before we can make a
fix available, can apply the following changes to their nodes to prevent
un-authenticated access to the data that cacti is collecting. Note this
change works for both netinstall and live cd instances (and will survive a
reboot):
1) As sudo or root user, edit //etc/httpd/conf.d/apache-toolkit_web_gui.conf
2) Add this line (anywhere) in the file:
> RewriteRule ^/toolkit/gui/cacti(.*)
> https://%{SERVER_NAME}/toolkit/admin/cacti$1 [R,L]
3) Restart apache (sudo /etc/init.d/httpd restart)
We will be working to create a patched version of cacti, and will advise when
a new package is available from our repositories for netinstall users. There
are no plans to create a new LiveCD/LiveUSB image due to the specific use
case that cacti presents, as well as the availability of a workaround listed
above.
Please relay any questions or concerns you may have to the developers mailing
list
();
-jason
- cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709), Jason Zurawski, 04/15/2014
- Re: cacti vulnerabilities (CVE-2014-2708 and CVE-2014-2709), Jason Zurawski, 04/16/2014
Archive powered by MHonArc 2.6.16.