Description:
LPAR2RRD is a performance monitoring and capacity planning software for IBM
Power Systems. LPAR2RRD generates historical, future trends and nearly
"real-time" CPU utilization graphs of LPAR's and shared CPU usage.
Insufficient input sanitization on the parameters passed to the application
web gui leads to arbitrary command injection on the LPAR2RRD application
server.
Affected version:
LPAR2RRD <= 4.53, <= 3.5
Fixed version:
LPAR2RRD > 4.53
Credit: vulnerability report and PoC code received from Jürgen Bilberger
<juergen.bilberger AT daimler.com>.
CVE: CVE-2014-4981 (version <= 3.5), CVE-2014-4982 (version <= 4.53)
Timeline:
2014-07-08: vulnerability report received
2014-07-08: contacted LPAR2RRD maintainers
2014-07-20: patch provided by maintainers, assigned CVEs
2010-07-22: contacted affected vendors
2010-07-23: advisory release
References:
http://www.lpar2rrd.com
Permalink:
http://www.ocert.org/
--
Daniele Bianco Open Source Computer Security Incident Response Team
<danbia@ocert.org> http://www.ocert.org
Komentarų nėra:
Rašyti komentarą