Executive Summary

Summary
Title Munin vulnerabilities
Informations
Name USN-1622-1 First vendor Publication 2012-11-05
Vendor Ubuntu Last vendor Modification 2012-11-05
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Munin.

Software Description: - munin: Network-wide graphing framework

Details:

It was discovered that the Munin qmailscan plugin incorrectly handled temporary files. A local attacker could use this issue to possibly overwrite arbitrary files. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10, and Ubuntu 12.04 LTS. (CVE-2012-2103)

It was discovered that Munin incorrectly handled plugin state file permissions. An attacker obtaining privileges of the munin user could use this issue to escalate privileges to root. (CVE-2012-3512)

It was discovered that Munin incorrectly handled specifying an alternate configuration file. A remote attacker could possibly use this issue to execute arbitrary code with the privileges of the web server. This issue only affected Ubuntu 12.10. (CVE-2012-3513)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.10:
munin 2.0.2-1ubuntu2.2

Ubuntu 12.04 LTS:
munin 1.4.6-3ubuntu3.3

Ubuntu 11.10:
munin 1.4.5-3ubuntu4.11.10.2

Ubuntu 10.04 LTS:
munin 1.4.4-1ubuntu1.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1622-1
CVE-2012-2103, CVE-2012-3512, CVE-2012-3513

Package Information:
https://launchpad.net/ubuntu/+source/munin/2.0.2-1ubuntu2.2
https://launchpad.net/ubuntu/+source/munin/1.4.6-3ubuntu3.3
https://launchpad.net/ubuntu/+source/munin/1.4.5-3ubuntu4.11.10.2
https://launchpad.net/ubuntu/+source/munin/1.4.4-1ubuntu1.2

Original Source

Url : http://www.ubuntu.com/usn/USN-1622-1

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-264 Permissions, Privileges, and Access Controls
33 % CWE-59 Improper Link Resolution Before File Access ('Link Following')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18075
 
Oval ID: oval:org.mitre.oval:def:18075
Title: USN-1622-1 -- munin vulnerabilities
Description: Several security issues were fixed in Munin.
Family: unix Class: patch
Reference(s): USN-1622-1
CVE-2012-2103
CVE-2012-3512
CVE-2012-3513
 Version: 7
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
 Product(s): munin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 24

OpenVAS Exploits

Date Description
2012-11-06 Name : Ubuntu Update for munin USN-1622-1
File : nvt/gb_ubuntu_USN_1622_1.nasl
2012-09-27 Name : Fedora Update for munin FEDORA-2012-13649
File : nvt/gb_fedora_2012_13649_munin_fc16.nasl
2012-09-27 Name : Fedora Update for munin FEDORA-2012-13683
File : nvt/gb_fedora_2012_13683_munin_fc17.nasl

Nessus® Vulnerability Scanner

Date Description
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-20.nasl - Type : ACT_GATHER_INFO
2014-05-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201405-17.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-130.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-105.nasl - Type : ACT_GATHER_INFO
2012-11-06 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1622-1.nasl - Type : ACT_GATHER_INFO
2012-09-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13649.nasl - Type : ACT_GATHER_INFO
2012-09-27 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13683.nasl - Type : ACT_GATHER_INFO
2012-09-18 Name : The remote Fedora host is missing a security update.
File : fedora_2012-13110.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-02-17 12:01:01
  • Multiple Updates
2012-11-22 17:24:47
  • Multiple Updates
2012-11-22 13:19:31
  • Multiple Updates