Core Vulnerability for CVE-2016-10089

Fred Kroeger · Post by **Fred Kroeger** » Wed Feb 22, 2017 8:44 pm

The below link refers to a security vulnerability for 4.2.4 and below.
Can you advise when an update will be provided or in the meantime if there is a work-around I can implement?

https://web.nvd.nist.gov/view/vuln/deta ... 2016-10089

Thanks.... Fred

dwhitfield · Post by **dwhitfield** » Thu Feb 23, 2017 10:59 am

fixed in XI 5.4. Is that all you needed to know?

Fred Kroeger · Post by **Fred Kroeger** » Thu Feb 23, 2017 7:21 pm

Thanks - couldn't see a refernce to that in the Change Log.
I need to report backto the Security Team - Which release of 5.4 was the fix implemented?

dwhitfield · Post by **dwhitfield** » Fri Feb 24, 2017 10:02 am

Fix was in 5.4

Change log entry mentions a meta fix:

- Upgraded Nagios Core to version 4.2.4 -JO

Nagios Core changelog at https://github.com/NagiosEnterprises/na ... /Changelog

Please let us know if you need any more details.

Fred Kroeger · Post by **Fred Kroeger** » Mon Feb 27, 2017 12:45 am

Yes I saw that entry in the change log, however the vulnerability advisory refers to to Core 4.2.4 and below.
There is no subsequent entry in the change log that states that this vulnerability has been addressed.
Sorry for the hassle.... I just need some documented proof that CVE-2016-10089 has been fixed.

dwhitfield · Post by **dwhitfield** » Mon Feb 27, 2017 10:12 am

Thank you for perseverance. We got so many questions about the things fixed in 4.2.4 that I just assumed this was one of those.

It does not appear this one has been fixed in the new releases of Core. I brought this to the attention of the Core developer. I know there is a [email protected] email address for reporting, but I am not sure if there is a way for me to view what has been reported.

Fred Kroeger · Post by **Fred Kroeger** » Tue Feb 28, 2017 3:07 am

Thanks - can you keep this open and update it please when you get confirmation that it has been fixed?

dwhitfield · Post by **dwhitfield** » Tue Feb 28, 2017 10:00 am

For sure. I just checked the maintenance branch on github and no changes yet.

Fred Kroeger · Post by **Fred Kroeger** » Mon Mar 27, 2017 6:32 pm

Was this vulnerablity addressed in the latest release of NagiosXI ?

dwhitfield · Post by **dwhitfield** » Mon Mar 27, 2017 8:37 pm

Looks like there is no fix yet in the maint branch: https://github.com/NagiosEnterprises/na ... /Changelog

Occasionally there are fixes in XI that aren't in Core, but it does not look like this is one of them: https://assets.nagios.com/downloads/nag ... NGES-5.TXT

I filed a github issue so it doesn't slip through the cracks: https://github.com/NagiosEnterprises/na ... issues/353

Nagios Support Forum

Core Vulnerability for CVE-2016-10089

Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089

Re: Core Vulnerability for CVE-2016-10089