Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-3495-1 xymon -- security update

Related Vulnerabilities: CVE-2016-2054   CVE-2016-2055   CVE-2016-2056   CVE-2016-2057   CVE-2016-2058  

Markus Krell discovered that xymon, a network- and applications-monitoring system, was vulnerable to the following security issues: CVE-2016-2054 The incorrect handling of user-supplied input in the config command can trigger a stack-based buffer overflow, resulting in denial of service (via application crash) or remote code execution. CVE-2016-2055 The incorrect handling of user-supplied input in the config command can lead to an information leak by serving sensitive configuration files to a remote user. CVE-2016-2056 The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user. CVE-2016-2057 Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon. CVE-2016-2058 Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks. For the stable distribution (jessie), these problems have been fixed in version 4.3.17-6+deb8u1. We recommend that you upgrade your xymon packages.

Source

Debian Security Advisory

DSA-3495-1 xymon -- security update

Date Reported:
29 Feb 2016
Affected Packages:
xymon
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-2054, CVE-2016-2055, CVE-2016-2056, CVE-2016-2057, CVE-2016-2058.
More information:

Markus Krell discovered that xymon, a network- and applications-monitoring system, was vulnerable to the following security issues:

  • CVE-2016-2054

    The incorrect handling of user-supplied input in the config command can trigger a stack-based buffer overflow, resulting in denial of service (via application crash) or remote code execution.

  • CVE-2016-2055

    The incorrect handling of user-supplied input in the config command can lead to an information leak by serving sensitive configuration files to a remote user.

  • CVE-2016-2056

    The commands handling password management do not properly validate user-supplied input, and are thus vulnerable to shell command injection by a remote user.

  • CVE-2016-2057

    Incorrect permissions on an internal queuing system allow a user with a local account on the xymon master server to bypass all network-based access control lists, and thus inject messages directly into xymon.

  • CVE-2016-2058

    Incorrect escaping of user-supplied input in status webpages can be used to trigger reflected cross-site scripting attacks.

For the stable distribution (jessie), these problems have been fixed in version 4.3.17-6+deb8u1.

We recommend that you upgrade your xymon packages.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started