Reported Nagios exploit: CVE-2016-9565

[jwelch]

Has anyone heard of this exploit? Our Security team emailed me about it, but I'm having trouble getting credible information on it.
I looked in the XI release notes, but it doesn't look like CVEs are listed in the release notes.

This is what I found via Google:

http://www.cve.mitre.org/cgi-bin/cvenam ... -2016-9565

https://legalhackers.com/advisories/Nag ... -4796.html

[dwhitfield]

4.2.2 - 2016-10-24
------------------
SECURITY FIXES
* There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on
August 1, 2016. The fix was apparently incomplete, as there was still a
problem. However, we are now getting all RSS feeds using AJAX calls
instead of the (outdated) MagpieRSS package. Thanks for bringing this to
our attention go to Dawid Golunski (http://legalhackers.com).

From https://github.com/NagiosEnterprises/na ... /Changelog

You'll see that the 2008 CVE is mentioned in the legalhackers.com post to which you linked. My apologies for the ambiguous changelog.

Core will be getting an update in 5.4: https://www.nagios.com/roadmaps/

The upgrades of Core from within XI are not straightforward and are unsupported. They are known to be particularly difficult on Cent 6. Cent 7 works better, but again, the upgrade is unsupported.

If waiting until 5.4 is not going to work for you, we can further discuss options.

[jwelch]

Updated to 5.4.0.
I assume that the issue is resolved.
Thanks.

[dwhitfield]

Indeed. Ready to lock it up?

[jwelch]

yes