Security Bulletins

Publication date: November 22, 2024Component: centreon-web (on central server).Feature: Monitoring configuration logs Description: A stored XSS was found in the user configuration contact name field.Details : A script can be stored in the contact name field to be reflected in the adminstration logs. These two pages are only accessible to authenticated users with high privilege access. Reference: CVE-2024-47863CVSS:  6.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N Severity: MEDIUM Status: Fixes have been provided for all 

Publication date: October 10, 2024Component: centreon-bi-server (on central server).Feature: Reporting jobs configuration. Description: A SQL injection vulnerability in the listing of configured reporting jobs.Details : SQLi in configuration pages, only accessible to authenticated users with high privilege access. Reference: CVE-2024-45754CVSS:  7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Severity: HIGH Status: Fixes have been provided for all 

Security fixed in Centreon Web Submission: June 26, 2024Publication date: October 1, 2024Severity: MEDIUM Component: centreon-webFixes have been provided for all supported versions and it is recommended to update Centreon Web:Centreon Web 24.04.7 Centreon Web 23.10.17 Centreon Web 23.04.22

Security fixed in Centreon Web Submission: June 21, 2024Publication date: September 17, 2024Severity: HIGH Feature: Edition of contacts / usersComponent: centreon-webFixes have been provided for all supported versions and it is recommended to update Centreon Web:Centreon Web 24.04.6 Centreon Web 23.10.16 Centreon Web 23.04.21

An audit has identified security vulnerabilities in Centreon Web.Centreon is unaware of situations where these could have been exploited.If an instance of Centreon Web is exposed on Internet, these vulnerabilities have a high likelihood of being exploited and have a severe impact if exploited which results in a high risk. Type of vulnerability :CVE-2024-32501 : SQL Injection, in updateServiceHostCVE-2024-33852 : SQL Injection in Downtime componentCVE-2024-33853 : SQL Injection in Timeperiod componentCVE-2024-33854 : SQL Injection in Graph Template componentCVE-2024-5725 : SQL Injection in Metric Image componentCVE-2024-39841 : SQL Injection via service configuration It is therefore highly recommended to apply the provided product updates as early as possible. Version impacted

An audit has identified security vulnerabilities in Centreon Web.Centreon is unaware of situations where these could have been exploited.If an instance of Centreon Web is exposed on Internet, these vulnerabilities have a high likelihood of being exploited and have a severe impact if exploited which results in a high risk. CVE registration: CVE-2024-0637, CVE-2024-23115, CVE-2024-23116, CVE-2024-23117, CVE-2024-23118, CVE-2024-23119 It is therefore highly recommended to apply the provided product updates as early as possible. Who is impacted?All Centreon on-premise platform versions are vulnerable. Centreon Cloud platforms have already been updated. Applying the fixFixes have been provided for all supported ver

An audit has identified security vulnerabilities in Centreon Web.Centreon is unaware of situations where these could have been exploited.If an instance of Centreon Web is exposed on Internet, these vulnerabilities have a high likelihood of being exploited and have a severe impact if exploited which results in a high risk. It is therefore highly recommended to apply the provided product updates as early as possible. Who is impacted?All Centreon on-premise platform versions are vulnerable. Centreon Cloud platforms have already been updated. Applying the fixFixes have been provided for all supported versions and it is recommended to update Centreon Web: Centreon Web 23.04.4 Centreon Web

SummaryAn exploit for a critical vulnerability (CVE-2022-37454) impacting PHP and other middleware was publicly released on October 20, 2022.A detailed description of the vulnerability can be found on Red Hat Customer Portal.The Centreon Security Group has conducted an initial assessment across the codebase to determine the impact of this vulnerability.   ImpactsNot specified by publisher Data Privacy Breach Affected systemsPHP 8.0.x versions prior to 8.0.25 PHP 8.1.x versions prior to 8.1.12 State of investigationRed Hat is currently under investigation on potential effects.Centreon doesn’t use SHA-3 mechanism, so no Centreon Edition

SummaryA zero-day exploit for a vulnerability code-named Text4Shell (CVE-2022-42889) was publicly released on October 12th 2022. The Centreon Security Group has conducted an initial assessment across the codebase to determine the impact of this vulnerability.  The vulnerability is embedded in a java component named Apache-commons-text, in versions from 1.5 to 1.10. It can only be exploited in a very specific context. ImpactCentreon components that could have been affected are the ones that uses Java code: Centreon MAP server Centreon MBI AS400 plugin No other component (including opensource) is affected.No Centreon Cloud service is affected. 

An internal audit has identified security vulnerabilities in Centreon MBI and Centreon Web.Centreon is unaware of situations where these could have been exploited.These vulnerabilities have a low likelihood of being exploited but have a severe impact if exploited which results in a high risk.It is therefore highly recommended to apply the provided product updates as early as possible. Who is impacted?Your Centreon platform is vulnerable if Centreon MBI has been installed.Centreon Cloud platforms are not impacted. Applying the fixFixes have been provided for all supported versions and it is recommended to update both Centreon Web and Centreon MBI: Centreon Web 22.04.7 and Centreon MBI 22.04.2 Centreon We