Wuerth Phoenix has released some Critical Patches (CPs) for NetEye 4. These CPs resolve multiple vulnerabilities related to SQL injections, Cross Site Scripting and an unauthenticated remote command execution (RCE) exploit.
Description
GLPI was affected by:
[Critical] RCE using a third-party library script (CVE-2022-35914).
[Critical] Privilege Escalation by authentication via SQL injection (CVE-2022-35947)
XSS through registration API (CVE-2022-35945)
Leak of sensitive information through login page error (CVE-2022-31143)
SQL injection through plugin controller (CVE-2022-35946)
CVE-2022-35914 RCE workaround for older NetEye 4 versions
Remove /usr/share/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php file from the filesystem on all NetEye nodes. This will prevent unauthenticated attackers to compromise your NetEye installation.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
Affected Products
All NetEye 4.x versions prior to and including 4.26.
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Author
Gianluca Piccolo
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
We released an update for GLPI that fixes several vulnerabilities. We updated the following packages: glpi, glpi-autosetup and glpi-neteye-config to version 10.0.16_neteye1.15.3-2
We fixed a bug in Icingaweb2 module Tornado UI which prevented the UI from refreshing after a draft configuration was deleted. We updated the following packages: icingaweb2-module-tornado, icingaweb2-module-tornado-autosetup and icingaweb2-module-tornado-configurator to version 2.13.6-1
We fixed a bug in the NetEye Alyvix module related to the Multi Tenancy migration command neteye alyvix-node enable-multitenancy --all, in which we adapted the data sent by the command to the Alyvix node to comply with the latest specification Read More
We fixed a bug in Icingaweb2 module Tornado UI which made part of the testing form unreachable when multi-tenancy was enabled. We updated the following packages: icingaweb2-module-tornado, icingaweb2-module-tornado-autosetup and icingaweb2-module-tornado-configurator to version 2.13.5-1
We fixed a bug in the NetEye Alyvix module which caused some errors to be shown to administrators of Tenants which did not have access to some tenant-shared Alyvix Nodes. We updated the following packages: icingaweb2-module-alyvix and icingaweb2-module-alyvix-autosetup to version Read More