Skip to Content.
Sympa Menu

perfsonar-announce - Re: Important perfSONAR Toolkit Security Update

Subject: perfSONAR Announcements

List archive

Re: Important perfSONAR Toolkit Security Update

Chronological Thread 
  • From: R Phipps <>
  • To:
  • Subject: Re: Important perfSONAR Toolkit Security Update
  • Date: Fri, 20 Jun 2014 10:16:18 -0400
  • Organization: Virginia Tech

Some perfsonar installations will have an issue with this update of the perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.3.2-16.pSPS.noarch package.


- Issue: error messages during 'yum update' for perfsonar installations where mysql root password is not empty.

... <snipped normal yum update messages> ...
Running: /opt/perfsonar_ps/toolkit/scripts/system_environment/cleanup_cacti upgrade
mysqld (pid 1445) is running...
Reseting default values
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
... <more messages like this snipped> ...

- Cause:
The update expects the mysql root password to be null (as in the default install). If you've left the mysql root password empty, this issue should not occur.

- Work-around:
1- temporarily set your mysql root password to empty.
2- As root, execute: /opt/perfsonar_ps/toolkit/scripts/system_environment/cleanup_cacti upgrade
3- Reset your mysql root password to the previous value.

On 06/18/2014 03:45 PM, Andrew Lake wrote:

Yesterday an issue was found with the Cacti configuration on all
perfSONAR Toolkit nodes. The issue allows someone to access a settings
web page unauthenticated from which they can change titles and other
display values on the Cacti graphs. The extent of the harm that can be
done appears to be limited to defacing the Cacti web pages, and
unfortunately this was exploited in a few cases. Yesterday we posted
manual work-arounds to correct this issue but today we have updates that
will automatically apply the necessary fixes. The updates will 1) clear
out any defaced fields and 2) require authentication to ANY cacti page,
including just viewing the graphs. *We recommend ALL users update as
soon as possible by taking the following steps:*

NetInstall Users:
- Login to the command-line of your host and run 'yum update'
- Run ' /sbin/service httpd restart'

LiveCD/LiveUSB Users:
- Download and create a new CD from the relevant images found here:

Thank you to all our users that brought this to our attention and have
helped us get to a solution. The perfSONAR core development team takes
issues like this very seriously, and we do our best to get fixes out as
soon as possible. As always, it's important to remember that the Toolkit
nodes are at their center just Linux servers and it is important to keep
them patched like any other host. Please let us know if you have any
further questions about this issue and thanks again for everyone's help
and understanding while we worked toward getting this resolved.

Thank you,
The perfSONAR Development Team

Archive powered by MHonArc 2.6.16.

Top of Page