perfSONAR User Q&A and Other Discussion

[Jason Zurawski <>]

FYI for those not on this list

-jason

Begin forwarded message:

> From: R Phipps 
> <>
> Subject: Re: Important perfSONAR Toolkit Security Update
> Date: June 20, 2014 10:16:18 AM EDT
> To: 
> 
> 
> Some perfsonar installations will have an issue with this update of the 
> perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.3.2-16.pSPS.noarch package.
> 
> ---------------------------------------------------------------
> 
> - Issue: error messages during 'yum update' for perfsonar installations 
> where mysql root password is not empty.
> 
> ... <snipped normal yum update messages> ...
> Running: /opt/perfsonar_ps/toolkit/scripts/system_environment/cleanup_cacti 
> upgrade
> mysqld (pid  1445) is running...
> Reseting default values
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using 
> password: NO)
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using 
> password: NO)
> ... <more messages like this snipped> ...
> 
> - Cause:
> The update expects the mysql root password to be null (as in the default 
> install). If you've left the mysql root password empty, this issue should 
> not occur.
> 
> - Work-around:
>  1- temporarily set your mysql root password to empty.
>  2- As root, execute: 
> /opt/perfsonar_ps/toolkit/scripts/system_environment/cleanup_cacti upgrade
>  3- Reset your mysql root password to the previous value.
> 
> On 06/18/2014 03:45 PM, Andrew Lake wrote:
>> All,
>> 
>> Yesterday an issue was found with the Cacti configuration on all
>> perfSONAR Toolkit nodes. The issue allows someone to access a settings
>> web page unauthenticated from which they can change titles and other
>> display values on the Cacti graphs. The extent of the harm that can be
>> done appears to be limited to defacing the Cacti web pages, and
>> unfortunately this was exploited in a few cases. Yesterday we posted
>> manual work-arounds to correct this issue but today we have updates that
>> will automatically apply the necessary fixes.  The updates will 1) clear
>> out any defaced fields and 2) require authentication to ANY cacti page,
>> including just viewing the graphs. *We recommend ALL users update as
>> soon as possible by taking the following steps:*
>> 
>> NetInstall Users:
>>  - Login to the command-line of your host and run 'yum update'
>> -  Run ' /sbin/service httpd restart'
>> 
>> LiveCD/LiveUSB Users:
>>  - Download and create a new CD from the relevant images found here:
>> http://software.internet2.edu/pS-Performance_Toolkit/
>> 
>> Thank you to all our users that brought this to our attention and have
>> helped us get to a solution. The perfSONAR core development team takes
>> issues like this very seriously, and we do our best to get fixes out as
>> soon as possible. As always, it's important to remember that the Toolkit
>> nodes are at their center just Linux servers and it is important to keep
>> them patched like any other host. Please let us know if you have any
>> further questions about this issue and thanks again for everyone's help
>> and understanding while we worked toward getting this resolved.
>> 
>> Thank you,
>> The perfSONAR Development Team