openSUSE Security Update: Security update for cacti, cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0275-1 Rating: important References: #1215040 #1215042 #1215043 #1215044 #1215045 #1215047 #1215050 #1215051 #1215052 #1215053 #1215054 #1215055 #1215056 #1215058 #1215059 #1215081 #1215082 Cross-References: CVE-2023-30534 CVE-2023-39357 CVE-2023-39358 CVE-2023-39359 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39364 CVE-2023-39365 CVE-2023-39366 CVE-2023-39510 CVE-2023-39511 CVE-2023-39512 CVE-2023-39513 CVE-2023-39514 CVE-2023-39515 CVE-2023-39516 CVSS scores: CVE-2023-30534 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2023-39357 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-39358 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-39359 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-39360 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2023-39361 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-39362 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2023-39364 (NVD) : 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVE-2023-39365 (NVD) : 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L CVE-2023-39366 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39510 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39511 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39512 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39513 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39514 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39515 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVE-2023-39516 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________ An update that fixes 17 vulnerabilities is now available. Description: This update for cacti, cacti-spine fixes the following issues: cacti-spine 1.2.25: * Spine should see if script to be executed is executable * Enhance number recognition * When polling devices, sort by larger number of items first * Log format may be corrupted when timeout occurs * Compile warning appears due to GCC flag on RHEL7/RHEL8 * Downed device detection only checks one of the two uptime OIDs * Compile error appears due to execinfo.h on FreeBSD * Bootstrap shell script contains some PHP cruft * Padding is not always removed from the start of non-numeric strings * Improve SNMP result handling for non-numeric results * Further improve SNMP result handling for non-numeric results * Remove check for the max_oids column which has been present since Cacti v1.0 * Minimize Sorting when fetching poller records for maximum performance * Spine should see if script to be executed is executable cacti-spine 1.2.24: * Fix segfault when ignoring older OIDs cacti 1.2.25: * CVE-2023-30534: Protect against Insecure deserialization of filter data (boo#1215082) * CVE-2023-39360: Cross-Site Scripting vulnerability when creating new graphs (boo#1215044) * CVE-2023-39361: Unauthenticated SQL Injection when viewing graphs (boo#1215045) * CVE-2023-39357: SQL Injection when saving data with sql_save() (boo#1215040) * CVE-2023-39362: Authenticated command injection when using SNMP options (boo#1215047) * CVE-2023-39359: Authenticated SQL injection vulnerability when managing graphs (boo#1215043) * CVE-2023-39358: Authenticated SQL injection vulnerability when managing reports (boo#1215042) * CVE-2023-39365: SQL Injection when using regular expressions (boo#1215051) * CVE-2023-39364: redirect in change password functionality (boo#1215050) * CVE-2023-39366: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215052) * CVE-2023-39510: Cross-Site Scripting vulnerability with Device Name when administrating Reports (boo#1215053) * CVE-2023-39511: Cross-Site Scripting vulnerability with Device Name when editing Graphs whilst managing Reports (boo#1215081) * CVE-2023-39512: Cross-Site Scripting vulnerability with Device Name when managing Data Sources (boo#1215054) * CVE-2023-39513: Cross-Site Scripting vulnerability with Device Name when debugging data queries (boo#1215055) * CVE-2023-39514: Cross-Site Scripting vulnerability with Data Source Name when managing Graphs (boo#1215056) * CVE-2023-39515: Cross-Site Scripting vulnerability with Data Source Name when debugging Data Queries (boo#1215058) * CVE-2023-39516: Cross-Site Scripting vulnerability with Data Source Information when managing Data Sources (boo#1215059) * When rebuilding the Poller Cache from command line, allow it to be multi-threaded * When searching tree or list views, the URL does not update after changes * When creating a Data Source Template with a specific snmp port, the port is not always applied * When a Data Query references a file, the filename should be trimmed to remove spurious spaces * THold plugin may not always install or upgrade properly * RRD file structures are not always updated properly, if there are more Data Sources in the Data Template than the Graph Template * When reindexing devices, errors may sometimes be shown * Boost may loose data when the database server is overloaded * Boost can sometimes output unexpected or invalid values * Boost should not attempt to start if there are no items to process * Rebuilding the poller cache does not always work as expected * Host CPU items may not work poll as expected when on a remote data collector where hmib is also enabled * When creating new graphs, invalid offset errors may be generated * When importing packages, SQL errors may be generated * When managing plugins from command line, the --plugin option is not properly handled * When automating an install of Cacti, error messages can be appear * When performing automated install of a plugin, warnings can be thrown * Automation references the wrong table name causing errors * Data Source Info Mode produces invalid recommendations * Data Source Debug 'Run All' generates too many log messages * The description of rebuild poller cache in utilities does not display properly * When reindexing a device, debug information may not always display properly * Upon displaying a form with errors, the session error fields variable isn't cleared * MariaDB clusters will no longer support exclusive locks * RRDtool can fail to update when sources in Data Template and Graph Template data sources do not match * Compatibility improvements for Boost under PHP 8.x * When searching the tree, increase the time before querying for items * Device Location drop down does not always populate correctly * When viewing Realtime graphs, undefined variable errors may be reported * SNMP Uptime is not always ignored for spikekills * Improve detection of downed Devices * When reporting missing functions from Plugins, ensure messages do not occur too often * When starting the Cacti daemon, database errors may be reported when there is no problem * When reporting from RRDcheck, ensure prefix is in the correct casing * Improve Orphaned Data Source options and display * Parsing the PHP Configuration may sometimes produce errors * Security processes attempt to check for a user lockout even if there is no user logged in * When attempting to edit a tree, the search filter for Graphs remains disabled * When reindexing, a Data Source that could be un-orphaned may not always be unorphaned * When parsing a date value, there could be more than 30 chars * Untemplated Data Sources can fail to update due to lack of an assigned Graph * When processing items to check, do not include disabled hosts * When saving a Data Source Template, SQL errors may be reported * When importing a Template, errors may be recorded * Some display strings have invalid formatting that cannot be parsed * When filtering with regular expressions, the 'does not match' option does not always function as expected * When enabling a plugin, sometimes it can appear as if nothing happens * Ensure the Rows Per Page option shows limitations set by configuration * Plugins are unable to modify fields in the setting 'Change Device Settings' * When reporting emails being sent, ensure BCC addresses are also included * Improve compatibility of SNMP class trim handling under PHP 8.x * When importing legacy Data Query Templates, the Template can become unusable * Provide ability to raise an event when extending the settings form * Prevent unsupported SQL Mode flags from being set * The DSStats summary does not always display expected values * When performing a fresh install, device classification may be missing. * Duplication functions for Graph/Template and Data Source/Template do not return and id * Duplication of Device Templates should be an API call * Unable to convert database to latin1 instead of utf8 if desired * When creating Graphs, the process may become slower over time as more items exist * When a bulk walk size is set to automatic, this is not always set to the optimal value * Update copyright notice on import packages * When viewing Orphan Graphs, SQL errors may be reported * When reindexing hosts from command line, ensure only one process runs at once * When a Data Query has no Graphs, it may not be deletable * When duplicating a Graph Template, provide an option to not duplicate Data Query association * When duplicating a Data Template errors can appear in the Cacti log * When importing a Package, previewing makes unexpected changes to Cacti Templates * When enabling boost on a fresh install, an error may be reported * Improve compatibility for backtrace logging under PHP 8.x * Improve compatibility for Advanced Ping under PHP 8.x * Provide new templates for Fortigate and Aruba Cluster to be available during install * Provide new template for SNMP Printer to be available during install * When importing devices, allow a device classification to be known * Extend length of maximum name in settings table * Extend length of maximum name in user settings table * Data Queries do not have a Duplication function * Upgrade d3.js v7.8.2 and billboard.js v3.7.4 * Upgrade ua-parser.js to version 1.0.35 * Update Cisco Device Template to include HSRP graph template * New hook for device template change 'device_template_change' cacti 1.2.24 * Fix: Unable to import Local Linux Machine template * Fix multiple charting and display issues * Compatibility changes for SNMP under PHP 8.2, and other PHP compatibility updates * Fix multiple issues editing settings * timeout fixes for Basic Auth * multiple data poller bug fixes Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2023-275=1 Package List: - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): cacti-spine-1.2.25-29.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): cacti-1.2.25-35.1 References: https://www.suse.com/security/cve/CVE-2023-30534.html https://www.suse.com/security/cve/CVE-2023-39357.html https://www.suse.com/security/cve/CVE-2023-39358.html https://www.suse.com/security/cve/CVE-2023-39359.html https://www.suse.com/security/cve/CVE-2023-39360.html https://www.suse.com/security/cve/CVE-2023-39361.html https://www.suse.com/security/cve/CVE-2023-39362.html https://www.suse.com/security/cve/CVE-2023-39364.html https://www.suse.com/security/cve/CVE-2023-39365.html https://www.suse.com/security/cve/CVE-2023-39366.html https://www.suse.com/security/cve/CVE-2023-39510.html https://www.suse.com/security/cve/CVE-2023-39511.html https://www.suse.com/security/cve/CVE-2023-39512.html https://www.suse.com/security/cve/CVE-2023-39513.html https://www.suse.com/security/cve/CVE-2023-39514.html https://www.suse.com/security/cve/CVE-2023-39515.html https://www.suse.com/security/cve/CVE-2023-39516.html https://bugzilla.suse.com/1215040 https://bugzilla.suse.com/1215042 https://bugzilla.suse.com/1215043 https://bugzilla.suse.com/1215044 https://bugzilla.suse.com/1215045 https://bugzilla.suse.com/1215047 https://bugzilla.suse.com/1215050 https://bugzilla.suse.com/1215051 https://bugzilla.suse.com/1215052 https://bugzilla.suse.com/1215053 https://bugzilla.suse.com/1215054 https://bugzilla.suse.com/1215055 https://bugzilla.suse.com/1215056 https://bugzilla.suse.com/1215058 https://bugzilla.suse.com/1215059 https://bugzilla.suse.com/1215081 https://bugzilla.suse.com/1215082