Vulnerability Note VU#449452
Zenoss Core contains multiple vulnerabilities
The Zenoss Core application, server, and network management platform software contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code.
The Zenoss Core application, server, and network management platform software version 4.2.4 contains a collection of vulnerabilities that impacts several aspects of the software. A brief summary of the types of vulnerabilities present is provided below.
CVE-2014-6253: Systemic Cross Site Request Forgery
For more details, please see this spreadsheet, specifically the "Impact Description" column. Included in the linked spreadsheet are Zenoss tracking numbers for each issue.
The CVSS score below is based on CVE-2014-9246.
The most severe issues (CVE-2014-6261 and CVE-2014-9246) allow remote code execution and installation of arbitrary packages, allowing full compromise of the system running Zenoss. For more details, please see this spreadsheet, specifically the "Impact Description" column.
Apply an update manually
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Zenoss||Affected||12 Nov 2014||03 Dec 2014|
CVSS Metrics (Learn More)
Thanks to Ryan Koppenhaver and Andy Schmitz of Matasano Security for reporting these vulnerabilities.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2014-6253 CVE-2014-6254 CVE-2014-9245 CVE-2014-6255 CVE-2014-6261 CVE-2014-6256 CVE-2014-9246 CVE-2014-9247 CVE-2014-9248 CVE-2014-6257 CVE-2014-9249 CVE-2014-9250 CVE-2014-6258 CVE-2014-6260 CVE-2014-9251 CVE-2014-6259 CVE-2014-6262 CVE-2014-9252
- Date Public: 05 Dec 2014
- Date First Published: 05 Dec 2014
- Date Last Updated: 08 Dec 2014
- Document Revision: 43
If you have feedback, comments, or additional information about this vulnerability, please send us email.