Multiple security vulnerabilities found in Nagios Log Server

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
ScottMc
Posts: 26
Joined: Mon Aug 06, 2018 9:35 am

Multiple security vulnerabilities found in Nagios Log Server

Post by ScottMc »

During our latest security scan, we got hit with several vulnerabilities that need to be resolved in order to continue using our NLS cluster:

PHP mb_send_mail() Function Parameter Security Bypass (https://www.tenable.com/plugins/nessus/17716)
JQuery 1.2 < 3.5.0 Multiple XSS (https://www.tenable.com/plugins/nessus/136929)
Apache Log4j 1.x Multiple Vulnerabilities (https://www.tenable.com/plugins/nessus/156860)

I couldn't find anything regarding the PHP sendmail in the forums, but I did find a post regarding the JQuery issue. The thread was closed almost a year ago and with basically "we have no plans to fix this". We are also still waiting to hear back on whether Log4j will be upgraded as well. While I can appreciate there are a lot of moving parts to a product like this, this is a long time to be leaving known exploited software packages in products in the wild. We need advisement whether these are on a roadmap so we can decide whether to switch to something else.
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Multiple security vulnerabilities found in Nagios Log Se

Post by ssax »

Please PM me the exact details that the scanner found (they are generally in the scan results and show the endpoints and what it detected/etc) so that we can investigate them.

Include your Log Server version that you have installed on the system and the output of these commands:

Code: Select all

uname -a
cat /etc/*release
php -v
See here for the Log4j information:

https://www.nagios.com/news/2021/12/upd ... erability/
Locked