Nagios core Version 4.1.1 in nagios xi 5.3

[vuduops]

Hi;

Our security team informed us that the current version of nagios core version 4.1.1 in the nagiosxi version has a cross site scripting vulnerability. Is there a way to upgrade the nagios core or even disable if not being used ?

-Krishna

[dwhitfield]

The supported way is to upgrade XI to 5.4. https://assets.nagios.com/downloads/nag ... 4.0.tar.gz or http://repo.nagios.com/

If you aren't on 5.3.4, I'd suggest upgrading to that first: https://assets.nagios.com/downloads/nag ... 3.4.tar.gz. An incredibly small subset of users (5?) have had better luck with upgrading to 5.3.4 first.

XI uses Core, so no, Core cannot be disabled.

Please let us know if you have additional questions.

[vuduops]

I upgraded to 5.3.4, When I did that I lost both my host and service configuration files. I went ahead and tried upgrade 5.4 but the upgrade failed. I have attached the upgrade.log for your reference.

Thanks
Krishna

[dwhitfield]

Thanks for sending the upgradelog!

The error you got is because our installer can't figure out your init system. Have you modified your init system in any way?

What's the output of stat /proc/1/exe?

It looks as though you are running Cent/RHEL 6, but let's check ll /usr/lib/systemd.

[vuduops]

No we didnot modify the init system.here is the info you requested for ....

Code: Select all

[[email protected] ~]# stat /proc/1/exe
  File: `/proc/1/exe' -> `/sbin/init'
  Size: 0         	Blocks: 0          IO Block: 1024   symbolic link
Device: 3h/3d	Inode: 14096895    Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-01-13 03:34:29.786477195 +0000
Modify: 2016-12-17 03:12:22.195477194 +0000
Change: 2016-12-17 03:12:22.195477194 +0000
[[email protected] ~]# ll /usr/lib/systemd
ls: cannot access /usr/lib/systemd: No such file or directory

[dwhitfield]

I went into /tmp/nagiosxi/subcomponents/ndoutils/upgrade and commented out the make install-init line and my upgrade went through "fine".

You should also comment out the rm -rf "$pkgname" line because you will need to go back and install and make the init stuff. I will need to do a bit more digging on the init stuff, but you don't need it to get up and running.

I did need to repair the db after the upgrade...whether waiting for everything to catch up would have been enough, I don't know.

Code: Select all

service mysqld stop
/usr/local/nagiosxi/scripts/repairmysql.sh nagios
service mysqld start

[vuduops]

I was able to upgrade directly to 5.4.0 and had no issues doing that ...

-Krishna

[dwhitfield]

It sounds like this issue has been resolved. Is it okay if we lock this thread? Thanks for choosing the Nagios forums!