Skip to main content

An audit has identified security vulnerabilities in Centreon Web.

Centreon is unaware of situations where these could have been exploited.

If an instance of Centreon Web is exposed on Internet, these vulnerabilities have a high likelihood of being exploited and have a severe impact if exploited which results in a high risk.

 

CVE registration:   CVE-2024-32501, CVE-2024-33852, CVE-2024-33853, CVE-2024-33854, CVE-2024-5725, CVE-2024-39841

 

It is therefore highly recommended to apply the provided product updates as early as possible.

 

Who is impacted?

  • All Centreon on-premise platform versions are vulnerable.
  • Centreon Cloud platforms have already been updated.

 

Applying the fix

Fixes have been provided for all supported versions and it is recommended to update Centreon Web:

These versions include cumulative fixes from prior updates.

 

If you are running an unsupported version, it is strongly recommended that you upgrade your platform to 24.04.

Hello Laurent,

 

I could not find any details to the last three CVE’s: CVE-2024-33852, CVE-2024-33853, CVE-2024-33854

 

Only for the first one.

Could you provide any Information?

 

 

Thanks.

 

Regrads,

Henry


Is this timeline correct? If yes, it was a poor performance at Centreon side:
(information from https://www.zerodayinitiative.com/advisories/ZDI-24-596/)

2024-03-07 - Vulnerability reported to vendor

2024-06-10 - Coordinated public release of advisory
→ more than 3 months to fix the issue, no information to the users

2024-06-27  Security bulletin available
→ again more than 2 weeks to release the security bulletin
 


Hi @HHerrgesell, we contacted the persons who discovered the security issues as well as Mitre. The publication should arrive soon.

Hi @fgoebel, yes sorry for the delay, others vulnerabilities where present in the same part and we prefered fix everything before to release fix.


Bonjour,

 

Nous sommes en version 22.10.21 nous allons devoir faire une mise à niveau avant ? 

Cordialement,

 


Hi @christophe you can update to 22.10.23 or upgrade to another major version.


Added missing CVE-2024-39841 ID in the list.