Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1132337 (CVE-2014-5338, CVE-2014-5339, CVE-2014-5340) - CVE-2014-5338 CVE-2014-5339 CVE-2014-5340 check-mk: multiple flaws fixed in versions 1.2.4p4 and 1.2.5i4
Summary: CVE-2014-5338 CVE-2014-5339 CVE-2014-5340 check-mk: multiple flaws fixed in v...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5338, CVE-2014-5339, CVE-2014-5340
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1132339 1132341
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-21 07:52 UTC by Murray McAllister
Modified: 2019-09-29 13:21 UTC (History)
11 users (show)

Fixed In Version: check_mk 1.2.4p4, check_mk 1.2.5i4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 06:08:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1495 0 normal SHIPPED_LIVE Important: Red Hat Gluster Storage 3.1 update 2015-07-29 08:26:26 UTC

Description Murray McAllister 2014-08-21 07:52:06 UTC
Deutsche Telekom CERT Advisory DTC-A-20140820-001 notes a number of security flaws have been fixed in check-mk (a Nagios plug-in) versions 1.2.4p4 and 1.2.5i4.

These include cross site scripting to remote code execution (due to insecure pickle() use). Further details are available from their advisory:

http://packetstormsecurity.com/files/127941/DTC-A-20140820-001.txt

Some (not all!) of the individual fixes:

CVE-2014-5338
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4b71709456bfc2ffc27a3583f13cc2ac0e726709

CVE-2014-5339
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7998aa4d53d2fef7302c0761b9c8f47e2f626e18

CVE-2014-5340
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=192d41525502dc8de10ac99f57bd988450c17566

Comment 1 Murray McAllister 2014-08-21 07:54:38 UTC
Created check-mk tracking bugs for this issue:

Affects: fedora-all [bug 1132339]
Affects: epel-all [bug 1132341]

Comment 2 Murray McAllister 2014-08-21 07:55:35 UTC
> CVE-2014-5340
> http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;
> h=192d41525502dc8de10ac99f57bd988450c17566

That commit notes:

<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions.  In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.

Comment 3 Andrea Veri 2014-09-14 22:09:32 UTC
Murray I'm a bit concerned about comment #2 as the multisite.mk file is actually modified by admins in many occasions and overwriting it definitely not a good solution but at the same time upgrading the package without 'wato_legacy_eval' flag set to true will result in WATO breakages.

Do you have any suggestion on how to handle the upgrade properly?

Comment 4 Murray McAllister 2014-09-16 07:38:30 UTC
Hello Andrea,

I do not have a solution that both fixes the issue and does not break any environments. Maybe wato_legacy_eval in wato.py (http://git.mathias-kettner.de/git/?p=check_mk.git;a=blobdiff;f=web/plugins/config/wato.py;h=317f59394bf731727b3662f5e38d6ffa21e3983c;hp=744dde1e35164c2442ad410f5d78ccc76431ca80;hb=192d41525502dc8de10ac99f57bd988450c17566;hpb=815e624ae4c406112721771de85e22cdef3cafe6) could be set to "True" for a time, allowing the upgrade and fixing the other issues. It could be changed back to False at a later date. On the other hand, this issue seems to be the pickle/important one :-/

Comment 5 Fedora Update System 2014-09-27 09:42:58 UTC
check-mk-1.2.4p5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-09-27 10:01:31 UTC
check-mk-1.2.4p5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-09-27 10:06:40 UTC
check-mk-1.2.4p5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-10-05 08:13:59 UTC
check-mk-1.2.4p5-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-10-10 15:58:53 UTC
check-mk-1.2.4p5-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-10-10 16:05:29 UTC
check-mk-1.2.4p5-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-10-17 17:35:59 UTC
check-mk-1.2.4p5-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-10-17 17:36:53 UTC
check-mk-1.2.4p5-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-11-27 18:09:56 UTC
check-mk-1.2.4p5-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 errata-xmlrpc 2015-07-29 04:35:31 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 6
  Native Client for RHEL 5 for Red Hat Storage
  Native Client for RHEL 6 for Red Hat Storage

Via RHSA-2015:1495 https://rhn.redhat.com/errata/RHSA-2015-1495.html


Note You need to log in before you can comment on or make changes to this bug.