18. 08. 2020 Thomas Forrer Bug Fixes, NetEye

NetEye 4 – Security Advisory

Synopsis

Critical: Icinga Web 2 security update

Type/Severity

Security Advisory: Critical

Topic

An update for Icinga Web 2 is now available for NetEye 4.12 and 4.13.

NetEye Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Icinga Web 2 is an open-source front-end/framework developed by Icinga and is the primary frontend framework used in the NetEye 4 Product.

A Directory Traversal issue was discovered in Icinga Web 2 which could be exploited by attackers to read any local application files in the context of the running webserver.

Security Fix(es) for NetEye 4.13:

  • icingacli-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-2.7.3_neteye1.73.2-1.el7.noarch.rpm : Path Traversal vulnerability in imgAction function (CVE-2020-24368)
  • icingaweb2-autosetup-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-common-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-devel-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-selinux-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-HTMLPurifier-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-JShrink-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-Parsedown-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-dompdf-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-lessphp-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • icingaweb2-vendor-zf1-2.7.3_neteye1.73.2-1.el7.noarch.rpm
  • php-Icinga-2.7.3_neteye1.73.2-1.el7.noarch.rpm

Security Fix(es) for NetEye 4.12:

  • icingacli-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-2.7.3_neteye1.72.4-1.el7.noarch.rpm : Path Traversal vulnerability in imgAction function (CVE-2020-24368)
  • icingaweb2-autosetup-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-common-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-devel-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-selinux-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-HTMLPurifier-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-JShrink-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-Parsedown-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-dompdf-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-lessphp-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • icingaweb2-vendor-zf1-2.7.3_neteye1.72.4-1.el7.noarch.rpm
  • php-Icinga-2.7.3_neteye1.72.4-1.el7.noarch.rpm

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

All NetEye 4.x versions prior to and including 4.13.

Fixes

  • ICW-315 – (CVE-2020-24368) icingaweb2: Path Traversal vulnerability in file parameter

CVEs

References

Thomas Forrer

Thomas Forrer

Team Leader Research & Development at Würth Phoenix
Hi folks! I began loving computer since 1994, it was still the time of windows 3.1. Immediately I learned starting DOS games from the command promt, and while typing some white text on black background I felt like some hackish dude in a hollywoodian movie. Later during the studies at the university, I discovered the magic world of opensource, and it was love at first sight. Finally I got rid of BSOD's =) I love everything that is connected to some network, especially in a security perspective. My motto is: "With motivation, nothing is impossibile. It only requires more time."

Author

Thomas Forrer

Hi folks! I began loving computer since 1994, it was still the time of windows 3.1. Immediately I learned starting DOS games from the command promt, and while typing some white text on black background I felt like some hackish dude in a hollywoodian movie. Later during the studies at the university, I discovered the magic world of opensource, and it was love at first sight. Finally I got rid of BSOD's =) I love everything that is connected to some network, especially in a security perspective. My motto is: "With motivation, nothing is impossibile. It only requires more time."

Leave a Reply

Your email address will not be published.

Archive