The Zenoss Core application, server, and network management platform software contains multiple vulnerabilities, the most severe of which could allow a remote attacker to execute arbitrary code.
The Zenoss Core application, server, and network management platform software version 4.2.4 contains a collection of vulnerabilities that impacts several aspects of the software. A brief summary of the types of vulnerabilities present is provided below.
CVE-2014-6253: Systemic Cross Site Request Forgery
The most severe issues (CVE-2014-6261 and CVE-2014-9246) allow remote code execution and installation of arbitrary packages, allowing full compromise of the system running Zenoss. For more details, please see this spreadsheet, specifically the "Impact Description" column.
Apply an update manually
Thanks to Ryan Koppenhaver and Andy Schmitz of Matasano Security for reporting these vulnerabilities.
This document was written by Garret Wassermann.
|CVE IDs:||CVE-2014-6253, CVE-2014-6254, CVE-2014-9245, CVE-2014-6255, CVE-2014-6261, CVE-2014-6256, CVE-2014-9246, CVE-2014-9247, CVE-2014-9248, CVE-2014-6257, CVE-2014-9249, CVE-2014-9250, CVE-2014-6258, CVE-2014-6260, CVE-2014-9251, CVE-2014-6259, CVE-2014-6262, CVE-2014-9252|
|Date First Published:||2014-12-05|
|Date Last Updated:||2014-12-08 15:54 UTC|