Vulnerabilities > CVE-2007-4136 - Remote Denial Of Service vulnerability in Redhat Conga 0.10.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0640.NASL description Updated conga packages that correct a security flaw and provide bug fixes and add enhancements are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The Conga package is a web-based administration tool for remote cluster and storage management. A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136). Fixes in this updated package include : * The nodename is now set for manual fencing. * The node log no longer displays in random order. * A bug that prevented a node from responding when a cluster was deleted is now fixed. * A PAM configuration that incorrectly called the deprecated module pam_stack was removed. * A bug that prevented some quorum disk configurations from being accepted is now fixed. * Setting multicast addresses now works properly. * rpm -V on luci no longer fails. * The user interface rendering time for storage interface is now faster. * An error message that incorrectly appeared when rebooting nodes during cluster creation was removed. * Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion. * A user permission bug resulting from a luci code error is now fixed. * luci and ricci init script return codes are now LSB-compliant. * VG creation on cluster nodes now defaults to last seen 2020-06-01 modified 2020-06-02 plugin id 63842 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63842 title RHEL 5 : conga (RHSA-2007:0640) NASL family Scientific Linux Local Security Checks NASL id SL_20071107_CONGA_ON_SL5_X.NASL description A flaw was found in ricci during a code audit. A remote attacker who is able to connect to ricci could cause ricci to temporarily refuse additional connections, a denial of service (CVE-2007-4136). Fixes in this updated package include : - The nodename is now set for manual fencing. - The node log no longer displays in random order. - A bug that prevented a node from responding when a cluster was deleted is now fixed. - A PAM configuration that incorrectly called the deprecated module pam_stack was removed. - A bug that prevented some quorum disk configurations from being accepted is now fixed. - Setting multicast addresses now works properly. - rpm -V on luci no longer fails. - The user interface rendering time for storage interface is now faster. - An error message that incorrectly appeared when rebooting nodes during cluster creation was removed. - Cluster snaps configuration (an unsupported feature) has been removed altogether to prevent user confusion. - A user permission bug resulting from a luci code error is now fixed. - luci and ricci init script return codes are now LSB-compliant. - VG creation on cluster nodes now defaults to last seen 2020-06-01 modified 2020-06-02 plugin id 60284 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60284 title Scientific Linux Security Update : conga on SL5.x i386/x86_64
Oval
| accepted | 2013-04-29T04:22:56.073-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9871 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | The ricci daemon in Red Hat Conga 0.10.0 allows remote attackers to cause a denial of service (loss of new connections) by repeatedly sending data or attempting connections. | ||||||||||||
| version | 18 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2007-0640.html
- http://secunia.com/advisories/27611
- http://securitytracker.com/id?1018921
- http://www.securityfocus.com/bid/26393
- https://bugzilla.redhat.com/show_bug.cgi?id=336101
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38358
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9871