An update for the package grafana-panel-renderer is now available for NetEye 4.
NetEye Product Security has rated this update as having a security impact of High. Common Vulnerability Scoring System (CVSS) base scores provide additional guidance about a vulnerability and give a detailed severity rating.
Description
grafana-panel-renderer is a NetEye package used to render resource reports. One of its dependencies is vulnerable in that an authenticated attacker can submit a malicious INI file to the application that parses it with ini.parse, and it will pollute the prototype on the application possibly leading to remote code execution.
Security Fix(es) for NetEye 4.27 and NetEye 4.26:
grafana-panel-renderer-1.3.3-1
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the links listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
Affected Products
All NetEye 4.x versions prior to and including 4.27.
After the previous release of an Icinga2 bugfix for a race-condition during the shutdown, some issues with the connection to satellite nodes emerged. This bugfix release is a cleanup we worked on in cooperation with Icinga2 to address those issues. Read More
We fixed an issue related to the upgrade path from 4.37 to 4.38, where the upgrade could have blocked at the secure install phase due to the missing retrieval of upgrade checkpoints. We updated the following packages: neteye-upgrade-manager to version Read More
For ntopng we fixed license limit enforcement, which could lead to flow drops. Furthermore, we’ve fixed an issue related to the RPM Mirror where the sync would have failed after the one performed during the neteye rpmmirror setup command, due Read More
We’ve fixed an issue related to the RPM Mirror where the sync would have failed after the one performed during the neteye rpmmirror setup command, due to a dependency change. We updated the following packages: neteye-pulp3-mirror to version 1.2.2-2 Note: Read More
Synopsis Important: Icinga2 security update Type/Severity Security Advisory: Critical Topic An update for the package icinga2 is now available for NetEye 4. NetEye Product Security has rated this update as having a security impact of Critical. Common Vulnerability Scoring System Read More