openSUSE Security Update: Security update for cacti, cacti-spine ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0145-1 Rating: moderate References: #1192408 #1196692 Cross-References: CVE-2022-0730 CVSS scores: CVE-2022-0730 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 openSUSE Backports SLE-15-SP3 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for cacti, cacti-spine fixes the following issues: cacti-spine was updated to 1.2.20: * Add support for newer versions of MySQL/MariaDB * When checking for uptime of device, don’t assume a non-response is always fatal * Fix description and command trunctation issues * Improve spine performance when only one snmp agent port is in use cacti-spine 1.2.19: * Fix 1ssues with polling loop may skip some datasources * Fix ping no longer works due to hostname changes * Fix RRD steps are not always calculated correctly * Fix unable to build when DES no longer supported * Fix IPv6 devices are not properly parsed * Reduce a number of compiler warnings * Fix compiler warnings due to lack of return in thread_mutex_trylock * Fix Spine will not look at non-timetics uptime when sysUpTimeInstance overflows * Improve performance of Cacti poller on heavily loaded systems cacti-spine 1.2.20: * Add support for newer versions of MySQL/MariaDB * When checking for uptime of device, don’t assume a non-response is always fatal * Fix description and command trunctation issues * Improve spine performance when only one snmp agent port is in use cacti was updated to 1.2.20: * Security fix for CVE-2022-0730, boo#1196692 Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types. * Security fix: Device, Graph, Graph Template, and Graph Items may be vulnerable to XSS issues * Security fix: Lockout policies are not properly applied to LDAP and Domain Users * Security fix: When using ‘remember me’ option, incorrect realm may be selected * Security fix: User and Group maintenance are vulnerable to SQL attacks * Security fix: Color Templates are vulnerable to XSS attack * Features: * When creating a Data Source Profile, allow additional choices for Heartbeat * Change select all options to use Font Awesome icons * Improve spine performance by storing the total number of system snmp_ports in use * Prevent Template User Accounts from being Removed * When managing by users, allow filtering by Realm * Allow plugins to supply template account names * When viewing logs, additional message types should be filterable * When creating a Graph Template Item, allow filtering by Data Template * Allow language handler to be selected via UI * Updated Device packages for Synology, Citrix NetScaler, Cisco ASA/Cisco * Add Advanced Ping Graph Template to initial Installable templates * Add LDAP Debug Mode option * Allow Reports to include devices not on a Tree * Allow Basic Authentication to display custom failure message * Fix: When replicating data during installation/upgrade, system may appear to hang * Fix: Graph Template Items may have duplicated entries * Fix: Unable to Save Graph Settings * Fix: Script Server may crash if an OID is missing or unavailable * Fix: When system-wide polling is disabled, remote pollers may fail to sync changed settings * Fix: When updating poller name, duplicate name protection may be over zealous * Fix: Titles may show “Missing Datasource” incorectly * Fix: Checking for MIB Cache can cause crashes * Fix: Polling cycles may not always complete as expected * Fix: When viewing graph data, non-numeric values may appear * Fix: Utilities view has calculation errors when there are no data sources * Fix: When editing Reports, drag and drop may not function as intended * Fix: When data drive is full, viewing a Graph can result in errors * Various other bug fixes cacti 1.2.19: * Further fixes for grave character security protection (boo#1192408) * Fix Over aggressive escaping causing menu visibility issues on Create Device page * Add SHA256 and AES256 security levels for SNMP polling * Import graph template(Preview Only) show color_id new value as a blank area * Fix Editing graphs errors due to missing sequence * Fix 2hen hovering over a Tree Graph, row shows same highlighting as Graph Edit screen * Fix 2hen RealTime is not active, console errors may appear * Fix race conditions may occur when multiple RRDtool processes are running * Fix errors creating graphs from templates * Fix errors when duplicating reports * Fix Boost may be blocked by overflowing poller_output table * Fix Template import may be blocked due to unmet dependency warnings with snmp ports * Fix Newer MySQL versions may error if committing a transaction when not in one * Fix SNMP Agent may not find a cache item * Fix Correct issues running under PHP 8.x * Fix When polling is disabled, boost may crash and creates many arch tables * Fix When poller runs, memory tables may not always be present * Fix Timezones may sometimes be incorrectly calculated * Fix Allow monitoring IPv6 with interface graphs * Fix When a data source uses a Data Input Method, those without a mapping should be flagged * Fix When RRDfile is not yet created, errors may appear when displaying the graph * Fix Cacti missing key indexes that result in Preset pages slowdowns * Fix Data Sources page shows no name when Data Source has no name cache * Fix db_update_table function can not alter table from signed to unsigned * Fix data remains in poller_output table even if it’s flushed to rrd files * Fix Parameter list for lib/database.php:db_connect_real() is not correct in 3 places * Fix Offset is a reserved word in MariaDB 10.6 affecting Report * Fix Rendering large trees slowed due to lack of permission caching * Fix Error on interpretation of snmpUtime, when to big * Fix Applying right axis formatting creates an error-image * Fix Unable to Save Graph Settings from the Graphs pages * Fix Graph Template Cache is nullified too often when Graph Automation is running * Fix When Adding a Data Query to a Device, no Progress Spinner is shown * Fix New Browser Breaks Plugins that depend on non UTC date time data * Fix errors when testing remote poller connectivity * Fix errors when renaming poller * Fix Removing spikes by Variance does not appear to be working beyond the first RRA * Fix LDAP API lacks timeout options leading to bad login experiences * Add a normal/wrap class for general use * Limit File Types available for Template Import operations * Fix Cacti does not provide an option of providing a client side certificate for LDAP/AD authentication * Support Stronger Encryption Available Starting in Net-SNMP v5.8 * Allow Cacti to use multiple possible LDAP servers * Add a 15 minute polling/sampling interval * Provide additional admin email notifications * Add warnings for undesired changes to plugin hook return values * When creating a Graph, make testing the Data Sources optional by Template * Update phpseclib to 2.0.33 * Update jstree.js to 3.3.12 * Improve performance of Cacti poller on heavily loaded systems * MariaDB recommendations need some tuning for recent updates Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or “zypper patch”. Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-145=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2022-145=1 Package List: - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): cacti-spine-1.2.20-bp153.2.9.1 - openSUSE Backports SLE-15-SP3 (noarch): cacti-1.2.20-bp153.2.9.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64): cacti-spine-1.2.20-20.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): cacti-1.2.20-26.1 References: https://www.suse.com/security/cve/CVE-2022-0730.html https://bugzilla.suse.com/1192408 https://bugzilla.suse.com/1196692