ALAS-2017-899


Amazon Linux AMI Security Advisory: ALAS-2017-899
Advisory Release Date: 2017-10-03 11:00 Pacific
Severity: Important

Issue Overview:

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.

Various command-execution flaws were found in the Snoopy library included with Nagios. These flaws allowed remote attackers to execute arbitrary commands by manipulating Nagios HTTP headers.

A privilege escalation flaw was found in the way Nagios handled log files. An attacker able to control the Nagios logging configuration (the "nagios" user/group) could use this flaw to elevate their privileges to root.

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache.

The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs.


Affected Packages:

nagios


Issue Correction:
Run yum update nagios to update your system.

New Packages:
i686:
    nagios-devel-3.5.1-2.10.amzn1.i686
    nagios-common-3.5.1-2.10.amzn1.i686
    nagios-debuginfo-3.5.1-2.10.amzn1.i686
    nagios-3.5.1-2.10.amzn1.i686

src:
    nagios-3.5.1-2.10.amzn1.src

x86_64:
    nagios-3.5.1-2.10.amzn1.x86_64
    nagios-common-3.5.1-2.10.amzn1.x86_64
    nagios-debuginfo-3.5.1-2.10.amzn1.x86_64
    nagios-devel-3.5.1-2.10.amzn1.x86_64