Skip to Content.
Sympa Menu

perfsonar-announce - Important perfSONAR Toolkit Security Update

Subject: perfSONAR Announcements

List archive

Important perfSONAR Toolkit Security Update

Chronological Thread 
  • From: Andrew Lake <>
  • To: perfsonar-announce <>, "" <>
  • Cc: "" <>
  • Subject: Important perfSONAR Toolkit Security Update
  • Date: Wed, 18 Jun 2014 15:45:50 -0400


Yesterday an issue was found with the Cacti configuration on all perfSONAR Toolkit nodes. The issue allows someone to access a settings web page unauthenticated from which they can change titles and other display values on the Cacti graphs. The extent of the harm that can be done appears to be limited to defacing the Cacti web pages, and unfortunately this was exploited in a few cases. Yesterday we posted manual work-arounds to correct this issue but today we have updates that will automatically apply the necessary fixes.  The updates will 1) clear out any defaced fields and 2) require authentication to ANY cacti page, including just viewing the graphs. We recommend ALL users update as soon as possible by taking the following steps:

NetInstall Users:
 - Login to the command-line of your host and run 'yum update'
-  Run ' /sbin/service httpd restart'

LiveCD/LiveUSB Users:
 - Download and create a new CD from the relevant images found here:

Thank you to all our users that brought this to our attention and have helped us get to a solution. The perfSONAR core development team takes issues like this very seriously, and we do our best to get fixes out as soon as possible. As always, it's important to remember that the Toolkit nodes are at their center just Linux servers and it is important to keep them patched like any other host. Please let us know if you have any further questions about this issue and thanks again for everyone's help and understanding while we worked toward getting this resolved.

Thank you,
The perfSONAR Development Team

Archive powered by MHonArc 2.6.16.

Top of Page