Zenoss has discovered a security vulnerability related to XML-RPC authentication which, in some cases, allows for un-authenticated method invocation in all versions of Zenoss Professional, Enterprise, Service Provider and Core.
Zenoss strongly recommends you patch this vulnerability immediately. All users should review this advisory, however, those customers who have installed Zenoss in a publicly available network may be at an increased risk. The patch instructions are available below and can be downloaded from: http://www.zenoss.com/community/docs/patches/security/1035-ZSA.txt
Currently, there is no known attack that utilizes this vulnerability. The provided patch has been tested and will eliminate any such risk associated with this vulnerability should any attack be attempted.
OVERVIEW
To provide initial notification, impact assessment and remediation to our customers.
Review suggested actions and perform if necessary.
Zenoss Core 2.2.4 or earlier
Zenoss Professional 2.2.4 or earlier
Zenoss Enterprise 2.2.4 or earlier
SUGGESTED ACTIONS
1. Log into the system with Zenoss installed as the 'zenoss' user.
2. Run the following commands:
$ zenpatch 10653 10654 10700
$ zenmigrate run -v 10 --step=fixPropertyAccess
$ zopectl restart
Zenoss installations using hardware or software appliances should complete steps 1-3. RPM based installations should start with step 2 below.
1. If you are using a Zenoss software or hardware appliance, log into the appliance as the 'root' user and run the following command:
conary update patch=conary.rpath.com@rpl:1
2. In any case, log into the system with Zenoss installed as the 'zenoss' user.
3. Run the following commands:
$ cd $ZENHOME
$ url='http://dev.zenoss.com/trac/changeset/10706?format=diff&new=10706'
$ wget "$url" -O - | patch -p3
$ zenmigrate run -v 10 --step=fixPropertyAccess
$ zopectl restart
FURTHER HELP
If you have any questions or would like assistance in applying this patch, please contact community@zenoss.com or Zenoss Support using your Portal account.
Apparently the zenpatch command needs to be run once for each patch. Using all 3 patches as a command line argument causes only the first patch to be downloaded and installed.