openSUSE-SU-2022:0145-1: moderate: Security update for cacti, cacti-spine
openSUSE Security Update: Security update for cacti, cacti-spine
______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0145-1
Rating: moderate
References: #1192408 #1196692
Cross-References: CVE-2022-0730
CVSS scores:
CVE-2022-0730 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for cacti, cacti-spine fixes the following issues:
cacti-spine was updated to 1.2.20:
* Add support for newer versions of MySQL/MariaDB
* When checking for uptime of device, don't assume a non-response is
always fatal
* Fix description and command trunctation issues
* Improve spine performance when only one snmp agent port is in use
cacti-spine 1.2.19:
* Fix 1ssues with polling loop may skip some datasources
* Fix ping no longer works due to hostname changes
* Fix RRD steps are not always calculated correctly
* Fix unable to build when DES no longer supported
* Fix IPv6 devices are not properly parsed
* Reduce a number of compiler warnings
* Fix compiler warnings due to lack of return in thread_mutex_trylock
* Fix Spine will not look at non-timetics uptime when sysUpTimeInstance
overflows
* Improve performance of Cacti poller on heavily loaded systems
cacti-spine 1.2.20:
* Add support for newer versions of MySQL/MariaDB
* When checking for uptime of device, don't assume a non-response is
always fatal
* Fix description and command trunctation issues
* Improve spine performance when only one snmp agent port is in use
cacti was updated to 1.2.20:
* Security fix for CVE-2022-0730, boo#1196692 Under certain ldap
conditions, Cacti authentication can be bypassed with certain
credential types.
* Security fix: Device, Graph, Graph Template, and Graph Items may be
vulnerable to XSS issues
* Security fix: Lockout policies are not properly applied to LDAP and
Domain Users
* Security fix: When using 'remember me' option, incorrect realm may be
selected
* Security fix: User and Group maintenance are vulnerable to SQL attacks
* Security fix: Color Templates are vulnerable to XSS attack
* Features:
* When creating a Data Source Profile, allow additional choices for
Heartbeat
* Change select all options to use Font Awesome icons
* Improve spine performance by storing the total number of system
snmp_ports in use
* Prevent Template User Accounts from being Removed
* When managing by users, allow filtering by Realm
* Allow plugins to supply template account names
* When viewing logs, additional message types should be filterable
* When creating a Graph Template Item, allow filtering by Data Template
* Allow language handler to be selected via UI
* Updated Device packages for Synology, Citrix NetScaler, Cisco
ASA/Cisco
* Add Advanced Ping Graph Template to initial Installable templates
* Add LDAP Debug Mode option
* Allow Reports to include devices not on a Tree
* Allow Basic Authentication to display custom failure message
* Fix: When replicating data during installation/upgrade, system may
appear to hang
* Fix: Graph Template Items may have duplicated entries
* Fix: Unable to Save Graph Settings
* Fix: Script Server may crash if an OID is missing or unavailable
* Fix: When system-wide polling is disabled, remote pollers may fail to
sync changed settings
* Fix: When updating poller name, duplicate name protection may be over
zealous
* Fix: Titles may show "Missing Datasource" incorectly
* Fix: Checking for MIB Cache can cause crashes
* Fix: Polling cycles may not always complete as expected
* Fix: When viewing graph data, non-numeric values may appear
* Fix: Utilities view has calculation errors when there are no data
sources
* Fix: When editing Reports, drag and drop may not function as intended
* Fix: When data drive is full, viewing a Graph can result in errors
* Various other bug fixes
cacti 1.2.19:
* Further fixes for grave character security protection (boo#1192408)
* Fix Over aggressive escaping causing menu visibility issues on Create
Device page
* Add SHA256 and AES256 security levels for SNMP polling
* Import graph template(Preview Only) show color_id new value as a blank
area
* Fix Editing graphs errors due to missing sequence
* Fix 2hen hovering over a Tree Graph, row shows same highlighting as
Graph Edit screen
* Fix 2hen RealTime is not active, console errors may appear
* Fix race conditions may occur when multiple RRDtool processes are
running
* Fix errors creating graphs from templates
* Fix errors when duplicating reports
* Fix Boost may be blocked by overflowing poller_output table
* Fix Template import may be blocked due to unmet dependency warnings
with snmp ports
* Fix Newer MySQL versions may error if committing a transaction when
not in one
* Fix SNMP Agent may not find a cache item
* Fix Correct issues running under PHP 8.x
* Fix When polling is disabled, boost may crash and creates many arch
tables
* Fix When poller runs, memory tables may not always be present
* Fix Timezones may sometimes be incorrectly calculated
* Fix Allow monitoring IPv6 with interface graphs
* Fix When a data source uses a Data Input Method, those without a
mapping should be flagged
* Fix When RRDfile is not yet created, errors may appear when displaying
the graph
* Fix Cacti missing key indexes that result in Preset pages slowdowns
* Fix Data Sources page shows no name when Data Source has no name cache
* Fix db_update_table function can not alter table from signed to
unsigned
* Fix data remains in poller_output table even if it's flushed to rrd
files
* Fix Parameter list for lib/database.php:db_connect_real() is not
correct in 3 places
* Fix Offset is a reserved word in MariaDB 10.6 affecting Report
* Fix Rendering large trees slowed due to lack of permission caching
* Fix Error on interpretation of snmpUtime, when to big
* Fix Applying right axis formatting creates an error-image
* Fix Unable to Save Graph Settings from the Graphs pages
* Fix Graph Template Cache is nullified too often when Graph Automation
is running
* Fix When Adding a Data Query to a Device, no Progress Spinner is shown
* Fix New Browser Breaks Plugins that depend on non UTC date time data
* Fix errors when testing remote poller connectivity
* Fix errors when renaming poller
* Fix Removing spikes by Variance does not appear to be working beyond
the first RRA
* Fix LDAP API lacks timeout options leading to bad login experiences
* Add a normal/wrap class for general use
* Limit File Types available for Template Import operations
* Fix Cacti does not provide an option of providing a client side
certificate for LDAP/AD authentication
* Support Stronger Encryption Available Starting in Net-SNMP v5.8
* Allow Cacti to use multiple possible LDAP servers
* Add a 15 minute polling/sampling interval
* Provide additional admin email notifications
* Add warnings for undesired changes to plugin hook return values
* When creating a Graph, make testing the Data Sources optional by
Template
* Update phpseclib to 2.0.33
* Update jstree.js to 3.3.12
* Improve performance of Cacti poller on heavily loaded systems
* MariaDB recommendations need some tuning for recent updates
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2022-145=1
Package List:
- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):
cacti-spine-1.2.20-bp153.2.9.1
- openSUSE Backports SLE-15-SP3 (noarch):
cacti-1.2.20-bp153.2.9.1
References:
https://www.suse.com/security/cve/CVE-2022-0730.html
https://bugzilla.suse.com/1192408
https://bugzilla.suse.com/1196692
A cacti, cacti-spine security update has been released for SUSE Linux Enterprise 15 SP3.