You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Sumit Mohanty (JIRA)" <ji...@apache.org> on 2013/04/15 19:22:15 UTC

[jira] [Resolved] (AMBARI-1934) Security vulnerability with Ganglia and Nagios

     [ https://issues.apache.org/jira/browse/AMBARI-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sumit Mohanty resolved AMBARI-1934.
-----------------------------------

    Resolution: Fixed
    
> Security vulnerability with Ganglia and Nagios
> ----------------------------------------------
>
>                 Key: AMBARI-1934
>                 URL: https://issues.apache.org/jira/browse/AMBARI-1934
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Sumit Mohanty
>            Assignee: Sumit Mohanty
>             Fix For: 1.3.0
>
>         Attachments: AMBARI-1934.patch
>
>
> Ganglia Issue : 
> Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors. 
> http://ganglia.info/?p=549 
> Ganglia Web 3.5.1 Release – Security Advisory 
> There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary script being executed with web user privileges possibly leading to a machine compromise. Issue has been fixed in the latest version of Ganglia Web which can be downloaded from https://sourceforge.net/projects/ganglia/files/ganglia-web/3.5.1/ 
> Solution: 
> Need to get upgraded rpms with the Ganglia Web version 3.5.7 which has the fix for this vulnerability.
> Nagios: 
> Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable. 
> http://www.nagios.org/projects/nagioscore/history/core-3x 
> http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089125.html 
> Vulnerable software and versions - nagios:nagios:3.4.3 and previous versions 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira