We are getting flagged by our security team for 3 new CVEs added by CISA targeting Nagios XI
https://www.cisa.gov/uscert/ncas/curren ... es-catalog
CVE-2021-25296 Nagios XI OS Command Injection Vulnerability
CVE-2021-25297 Nagios XI OS Command Injection Vulnerability
CVE-2021-25298 Nagios XI OS Command Injection Vulnerability
I know these normally get fixed by the minor version releases, but since there is no set schedule I know of for those releases I wanted to ask a few questions I can take back to my risk management.
1. Is Nagios aware of these CVEs to correct them in the next update?
2. Will that update be out by the February 1st CISA action due date?
XI CVEs
Re: XI CVEs
1. Yes, please see here next to each for the remediation:
https://www.nagios.com/products/security/
What XI version is your system running? You can find it on the bottom left hand side after logging in.
What OS version is the XI server running?
2. They should be fixed if you upgrade to the latest version of XI and upgrade the wizards/components to the latest in Admin > Manage Components and Admin > Manage Wizards. I'll know more based on your responses above.
https://www.nagios.com/products/security/
What XI version is your system running? You can find it on the bottom left hand side after logging in.
What OS version is the XI server running?
Code: Select all
uname -a
cat /etc/*releaseRe: XI CVEs
Nagios 5.8.7 and RHEL 8.4. And that's perfect I had no idea that page or in fact the wizard update are existed. Looking at versions it looks like we're already covered. Thank you!
Re: XI CVEs
You should not be vulnerable based on that.
Let us know when we're okay to close this ticket.
Thank you!
Let us know when we're okay to close this ticket.
Thank you!
Re: XI CVEs
You're good to lock this thread. Thank you!