TWiki>
LCG Web>WLCGCommonComputingReadinessChallenges>WLCGOperationsWeb>WLCGOpsCoordination>NetworkTransferMetrics>CactiperfSONAR (2014-06-26, ShawnMcKee)
EditAttachPDF
LCG Web>WLCGCommonComputingReadinessChallenges>WLCGOperationsWeb>WLCGOpsCoordination>NetworkTransferMetrics>CactiperfSONAR (2014-06-26, ShawnMcKee) EditAttachPDFCacti Vulnerability in perfSONAR-PS Toolkit Details.
There has been a vulnerability in the Cacti component of the perfSONAR-PS Toolkit identified which can allow "defacing" of the text fields on the Cacti settings web page or possible SQL injection attack into the Cacti database. It exists in versions of perfSONAR-PS prior to the following RPM versions:perl-perfSONAR_PS-Toolkit-SystemEnvironment-3.3.2-16.pSPS.noarch perl-perfSONAR_PS-Toolkit-3.3.2-16.pSPS.noarch perl-perfSONAR_PS-Toolkit-LiveCD-3.3.2-16.pSPS.noarch
Problem Remediation
The RPMS (and the corresponding updated ISOs) listed in the previous section address the issue. The patch created (that will be pulled down via yum) disables 'guest' (e.g. anonymous) access to cacti on the toolkit. The ink on the main page is still there, but will now require someone with a password/username to get in. This prevents unauthenticated access to the Cacti settings page, removing the threat of "defacing" or SQL injection. For our recommended netinstall (installation onto local disk) sites should 'yum update'. This is as simple as:yum -y update rebootFor sites running from CD or USB, please download, produced updated media and reboot your system using the updated media.
Disabling Cacti
Since Cacti is NOT part of either the OSG or WLCG perfSONAR-PS use-cases, sites can choose to disable it entirely via:- Edit /etc/httpd/conf.d/apache-toolkit_web_gui.conf
- Add the following stanza:
<Directory "/opt/perfsonar_ps/toolkit/web/root/admin/cacti"> Deny from all </Directory> - Restart apache:
sudo /etc/init.d/httpd restart
Verification of Fix
Sites can verify they have the updated RPMS via rpm -qa | grep PS-Toolkit. Check for the 3.3.2-16 versions mentioned at the top of the page.Alternately you can try to access the Cacti settings page to verify it prompts for authentication. The form of the URL is
http://<perfSONAR_FQDN>/toolkit/gui/cacti/graph_settings.phpFor example, if your toolkit instance is psum01.aglt2.org you should verify http://psum01.aglt2.org/toolkit/gui/cacti/graph_settings.php
prompts you for authentication.
References
See EGI SVG EGI-SVG-2014-7162 or refer to perfSONAR-PS FAQ at http://psps.perfsonar.net/toolkit/FAQs.html#Q77.
-- ShawnMcKee - 26 Jun 2014 Edit | Attach | Topic revision: r1 - 2014-06-26 - ShawnMcKee
LCG Wikis
- ABATBEA
- ACPP
- ADCgroup
- AEGIS
- AfricaMap
- AgileInfrastructure
- ALICE
- AliceEbyE
- AliceSPD
- AliceSSD
- AliceTOF
- AliFemto
- ALPHA
- Altair
- ArdaGrid
- ASACUSA
- AthenaFCalTBAna
- Atlas
- AtlasLBNL
- AXIALPET
- CAE
- CALICE
- CDS
- CENF
- CERNSearch
- CLIC
- Cloud
- CloudServices
- CMS
- Controls
- CTA
- CvmFS
- DB
- DefaultWeb
- DESgroup
- DPHEP
- DM-LHC
- DSSGroup
- EGEE
- EgeePtf
- ELFms
- EMI
- ETICS
- FIOgroup
- FlukaTeam
- Frontier
- Gaudi
- GeneratorServices
- GuidesInfo
- HardwareLabs
- HCC
- HEPIX
- ILCBDSColl
- ILCTPC
- IMWG
- Inspire
- IPv6
- IT
- ItCommTeam
- ITCoord
- ITdeptTechForum
- ITDRP
- ITGT
- ITSDC
- LAr
- LCG
- LCGAAWorkbook
- Leade
- LHCAccess
- LHCAtHome
- LHCb
- LHCgas
- LHCONE
- LHCOPN
- LinuxSupport
- Main
- Medipix
- Messaging
- MPGD
- NA49
- NA61
- NA62
- NTOF
- Openlab
- PDBService
- Persistency
- PESgroup
- Plugins
- PSAccess
- PSBUpgrade
- R2Eproject
- RCTF
- RD42
- RFCond12
- RFLowLevel
- ROXIE
- Sandbox
- SocialActivities
- SPI
- SRMDev
- SSM
- Student
- SuperComputing
- Support
- SwfCatalogue
- TMVA
- TOTEM
- TWiki
- UNOSAT
- Virtualization
- VOBox
- WITCH
- XTCA
 |
|
Copyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback