An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2024-1159 Final 1.0 1.0 2024-02-08 Initial 2024-02-08 2024-02-08 openEuler SA Tool V1.0 2024-02-08 aops-ceres security update An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3. An agent which needs to be adopted in client, it managers some plugins, such as gala-gopher(kpi collection), fluentd(log collection) and so on. Security Fix(es): In versions 1.3.0-1.4.1 of the ceres software package, the execute_shell_command function does not properly verify or filter the command or subcommand parameters entered by users. This allows an attacker to exploit the vulnerability by injecting malicious code and execute arbitrary commands locally. Attackers can exploit this vulnerability to perform unauthorized operations, which may cause severe security threats and losses to the system.(CVE-2021-33633) An update for aops-ceres is now available for openEuler-20.03-LTS-SP4 and openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High aops-ceres https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1159 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-33633 https://nvd.nist.gov/vuln/detail/CVE-2021-33633 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 da-tool-v1.3.4-14.oe2003sp4.aarch64.rpm dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.aarch64.rpm aops-ceres-v1.3.4-14.oe2003sp4.aarch64.rpm aops-ceres-v1.4.1-6.oe2203sp3.aarch64.rpm da-tool-v1.4.1-6.oe2203sp3.aarch64.rpm dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.aarch64.rpm aops-ceres-v1.3.4-14.oe2003sp4.src.rpm aops-ceres-v1.4.1-6.oe2203sp3.src.rpm da-tool-v1.3.4-14.oe2003sp4.x86_64.rpm dnf-hotpatch-plugin-v1.3.4-14.oe2003sp4.x86_64.rpm aops-ceres-v1.3.4-14.oe2003sp4.x86_64.rpm aops-ceres-v1.4.1-6.oe2203sp3.x86_64.rpm da-tool-v1.4.1-6.oe2203sp3.x86_64.rpm dnf-hotpatch-plugin-v1.4.1-6.oe2203sp3.x86_64.rpm In versions 1.3.0-1.4.1 of the ceres software package, the execute_shell_command function does not properly verify or filter the command or subcommand parameters entered by users. This allows an attacker to exploit the vulnerability by injecting malicious code and execute arbitrary commands locally. Attackers can exploit this vulnerability to perform unauthorized operations, which may cause severe security threats and losses to the system. 2024-02-08 CVE-2021-33633 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 High 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H aops-ceres security update 2024-02-08 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2024-1159