Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - unlimited distribution                               **  

** see for distribution restrictions **


Title:       EGI SVG Advisory "High" Risk  CVE-2014-5261,  CVE-2014-5262  
            Cacti remote command and code execution vulnerabilities - relevant to sites running Perfsonar.

Date:        2014-12-01 

This will be placed on the wiki on or after 15th December 2014.



Two vulnerabilities were found in Cacti by a member of the EGI software vulnerability group. 

The only place in the EGI infrastructure where cacti is in use that we are aware of is sites running 

This advisory is to alert sites to this, and suggest sites check that suitable mitigation is in place, 
as recommended by the perfsonar team.  
Fixes are available for this particular cacti issue for debian, but not redhat.  

The two vulnerabilities have CVEs assigned CVE-2014-5261 [R 1], CVE-2014-5262 [R 2]


For the description of the cacti vulnerabilities see [R 1] and [R 2]

Risk category

These vulnerabilities have both been assessed as 'High' risk by the EGI SVG Risk  
Assessment Team, if sites are configured badly.   

Affected software

These are fixed in debian, see [R 3], [R 4]

For RedHat they have not yet been fixed. 
The upstream release fixing these issues is cacti-0.8.8c


Sites can mitigate cacti problems by doing both of the following: 

- put behind firewall/only trusted people should be able to access the  webfrontend
- remove the line
 $guest_account = true;
 from the top of graph_settings.php

Sites running perfsonar should ensure that they are configured correctly according  
to the instructions given by the perfsonar team [R 5]. 

Information on security considerations is also provided by the perfsonar team [R 6]

Component installation information

For Debian, see [R 3] [R 4] 

For RedHat they have not yet been fixed. 
The upstream release fixing these issues is cacti-0.8.8c


Sites running cacti/perfsonar should ensure that they are configured in a suitable way as described 
by the Perfsonar team in the link above. 

This is regardless of whether the cacti version is updated. 

Sites running debian version, additionally should update.  

Other information

This was discussed at the SVG meeting on 20th November, and agreed that an advisory should be sent advising 
sites to ensure they are configured correctly. Agreed 'High' risk for poorly configured sites. 


These vulnerabilities were discovered by Mischa Salle and Wilco Baan Hofman from 



[R 1]

[R 2]

[R 3]

[R 4]

[R 5]

[R 6]


2014-07-27 Vulnerabilities reported by Mischa Salle and Wilco Baan Hofman
2014-07-27 Acknowledgement from the EGI SVG to the reporter
2014--     Mischa Salle in touch with developers to arrange resolution
2014-11-20 Discussed in SVG meeting, agreed 'High' if poorly configured site
           and that an advisory should be sent
2014-11--- Advisory drafted - further discussions. 
2014-12-01 Advisory sent to sites
2015-01-15 Public disclosure