#2014-005 LPAR2RRD input sanitization errors Description: LPAR2RRD is a performance monitoring and capacity planning software for IBM Power Systems. LPAR2RRD generates historical, future trends and nearly "real-time" CPU utilization graphs of LPAR's and shared CPU usage. Insufficient input sanitization on the parameters passed to the application web gui leads to arbitrary command injection on the LPAR2RRD application server. Affected version: LPAR2RRD <= 4.53, <= 3.5 Fixed version: LPAR2RRD > 4.53 Credit: vulnerability report and PoC code received from Jürgen Bilberger <juergen.bilberger AT daimler.com>. CVE: CVE-2014-4981 (version <= 3.5), CVE-2014-4982 (version <= 4.53) Timeline: 2014-07-08: vulnerability report received 2014-07-08: contacted LPAR2RRD maintainers 2014-07-20: patch provided by maintainers, assigned CVEs 2010-07-22: contacted affected vendors 2010-07-23: advisory release References: http://www.lpar2rrd.com Permalink: http://www.ocert.org/advisories/ocert-2014-005.html -- Daniele Bianco Open Source Computer Security Incident Response Team <danbia@xxxxxxxxx> http://www.ocert.org GPG Key 0x9544A497 GPG Key fingerprint = 88A7 43F4 F28F 1B9D 6F2D 4AC5 AE75 822E 9544 A497