漏洞类别:Ubuntu
漏洞等级: 
漏洞信息
It was discovered that Nagios incorrectly handled certain long strings.
It was discovered that Nagios incorrectly handled certain long messages to cmd.cgi.
It was discovered that Nagios incorrectly handled symlinks when accessing log files.
漏洞危害
A remote authenticated attacker could use this issue to cause Nagios to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2013-7108, CVE-2013-7205)
A remote attacker could possibly use this issue to cause Nagios to crash, resulting in a denial of service. (CVE-2014-1878)
A local attacker could possibly use this issue to elevate privileges. In the default installation of Ubuntu, this should be prevented by the Yama link restrictions. (CVE-2016-9566)
解决方案
Refer to Ubuntu advisory USN-3253-1 for affected packages and patching details, or update with your package manager.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
USN-3253-1: 16.04 (Xenial) on src (nagios3-cgi)
USN-3253-1: 14.04 (Kylin) on src (nagios3-core)
USN-3253-1: 16.10 (Yakkety) on src (nagios3-cgi)
USN-3253-1: 16.10 (Yakkety) on src (nagios3-core)
USN-3253-1: 16.04 (Xenial) on src (nagios3-core)
USN-3253-1: 14.04 (Kylin) on src (nagios3-cgi)
Virtual Patches:
Trend Micro Virtual Patching
Virtual Patch #1005854: 1005854 - Nagios "process_cgivars()" Off-By-One Vulnerability
0day
文章评论