Zenoss Security Announcement
By Matt Ray on Nov 3, 2008 in Community, Open Source, Systems Management, Zenoss Software
Zenoss has discovered a security vulnerability related to XML-RPC authentication which, in some cases, allows for un-authenticated method invocation in all versions of Zenoss Professional, Enterprise, Service Provider and Core.
Zenoss strongly recommends you patch this vulnerability immediately. All users should review this advisory, however, those customers who have installed Zenoss in a publicly available network may be at an increased risk. The patch instructions are available below and can be downloaded from: http://www.zenoss.com/community/docs/patches/security/1035-ZSA.txt
Currently, there is no known attack that utilizes this vulnerability. The provided patch has been tested and will eliminate any such risk associated with this vulnerability should any attack be attempted.
OVERVIEW
* Purpose of Advisory
To provide initial notification, impact assessment and remediation to our customers.
* Recommendation
Review suggested actions and perform if necessary.
* Software Affected
Zenoss Core 2.2.4 or earlier
Zenoss Professional 2.2.4 or earlier
Zenoss Enterprise 2.2.4 or earlier
SUGGESTED ACTIONS
* Zenoss 2.2.x
1. Log into the system with Zenoss installed as the ‘zenoss’ user.
2. Run the following commands:
$ zenpatch 10653 10654 10700 $ zenmigrate run -v 10 --step=fixPropertyAccess $ zopectl restart
* Zenoss 2.1.x
Zenoss installations using hardware or software appliances should complete steps 1-3. RPM based installations should start with step 2 below.
1. If you are using a Zenoss software or hardware appliance, log into the appliance as the ‘root’ user and run the following command:
# conary update patch=conary.rpath.com@rpl:1
2. In any case, log into the system with Zenoss installed as the ‘zenoss’ user.
3. Run the following commands:
$ cd $ZENHOME $ url='http://dev.zenoss.com/trac/changeset/10706?format=diff&new=10706' $ wget "$url" -O - | patch -p3 $ zenmigrate run -v 10 --step=fixPropertyAccess $ zopectl restart
FURTHER HELP
If you have any questions or would like assistance in applying this patch, please contact community@zenoss.com or Zenoss Support using your Portal account.
Receive
Blog Updates via Email
Sami Haahtinen | Nov 3, 2008 | Reply
Apparently the zenpatch command needs to be run once for each patch. Using all 3 patches as a command line argument causes only the first patch to be downloaded and installed.