perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

Greetings;

The perfSONAR project was made aware of two CVEs related to the cacti 
software.  More information is available by following these links:

https://access.redhat.com/security/cve/CVE-2014-2708
https://access.redhat.com/security/cve/CVE-2014-2709

Users who have concerns about these bugs, in the interim before we can make a 
fix available, can apply the following changes to their nodes to prevent 
un-authenticated access to the data that cacti is collecting.  Note this 
change works for both netinstall and live cd instances (and will survive a 
reboot):

1) As sudo or root user, edit //etc/httpd/conf.d/apache-toolkit_web_gui.conf 

2) Add this line (anywhere) in the file:

> RewriteRule ^/toolkit/gui/cacti(.*) 
> https://%{SERVER_NAME}/toolkit/admin/cacti$1 [R,L]

3) Restart apache (sudo /etc/init.d/httpd restart)

We will be working to create a patched version of cacti, and will advise when 
a new package is available from our repositories for netinstall users.  There 
are no plans to create a new LiveCD/LiveUSB image due to the specific use 
case that cacti presents, as well as the availability of a workaround listed 
above.  

Please relay any questions or concerns you may have to the developers mailing 
list 
();

-jason