Opened 10 months ago

Closed 9 months ago

#1397 closed defect (fixed)

Malicious plugin can abort data collection for a node

Reported by: cbiedl Owned by: nobody
Priority: high Milestone:
Component: master Version: 2.0.6
Severity: major Keywords:
Cc:

Description

Hi there,

using "multigraph" as a multigraph service name is not accepted by
Munin::Master::Node. The check however dies (in config) or croaks
(in fetch), causing in the connection being dropped and no data
gathered for that node. That's a bit harsh.

The patch below lowers that situation to two error messages.

Impact is rather small as this affects the data for that node itself.
A malicious plugin still does harm, but if an evil guy is able to
control which plugins are run on a node, no longer collecting munin
data for that one is not one of the bigger concerns.

Cheers,

Christoph

Attachments (1)

1397.patch (1.4 KB) - added by cbiedl 10 months ago.

Download all attachments as: .zip

Change History (2)

Changed 10 months ago by cbiedl

comment:1 Changed 9 months ago by cbiedl

  • Resolution set to fixed
  • Status changed from new to closed

This was assigned CVE-2013-6359 and fixed in 2.0.18

Note: See TracTickets for help on using tickets.