PHP and myphpadmin vulnerabilities with NaigiosXi

[myou]

We received an internal scan report of a vulnerability with our NagiosXi server. I need your guidance on how to mitigate the issues identified.
NagiosXi installed Version: 5.4.13
The servers is running Red Hat Enterprise Linux Server release 7.5 (Maipo)
The version of php installed is 5.4.16-45. Redhat reports that there will be no CVE fix issued for php-5.4, or php-5.5. There is a release of package rh-php56-2.3-1.el7.x86_64. I need to know if php-5.4 components can be removed and php-56 installed. If yes, what should be the process ffollowed. If not, what is our course of action?

Installed Packages
sudo rpm -qa |grep php
php-common-5.4.16-45.el7.x86_64
php-process-5.4.16-45.el7.x86_64
php-5.4.16-45.el7.x86_64
php-mbstring-5.4.16-45.el7.x86_64
php-mssql-5.4.16-4.el7.x86_64
php-pear-HTML-Template-IT-1.3.0-2.el5.noarch
php-cli-5.4.16-45.el7.x86_64
php-ldap-5.4.16-45.el7.x86_64
php-snmp-5.4.16-45.el7.x86_64
php-pecl-ssh2-0.12-1.el7.x86_64
php-pdo-5.4.16-45.el7.x86_64
php-mysql-5.4.16-45.el7.x86_64
php-gd-5.4.16-45.el7.x86_64
php-pear-1.9.4-21.el7.noarch
php-pgsql-5.4.16-45.el7.x86_64
php-mcrypt-5.4.16-4.el7.x86_64
php-xml-5.4.16-45.el7.x86_64

I see this file reference for phpmyadmin. I am not familiar how phpmyadmin is used with Nagios. Can it be disabled and what would be the affect?
/usr/share/nmap/scripts/http-phpmyadmin-dir-traversal.nse

Here is the text for the vulnerability:
PHP has been reported to be vulnerable to the following issues:
- An error exist with the virtual_file_ex function. Specifically, the function defines the "path_length" variable as a signed integer and is not checked for negative values. (CVE-2016-6289,)
- An Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c. The error occurs with how the "php_stream_zip_opener" function fails to check the path_len variable value when PHP handles a zip stream. (CVE-2016-6297)

- PhpMyAdmin is prone to cross-site scripting vulnerability because certain input passed to the database search script is not properly sanitized before being returned to the user.

PhpMyAdmin is prone to the following vulnerabilities:
- phpMyAdmin fails to validate BBcode tags in user input of error.php (CVE-2010-4480)
- Unauthenticated user is able to display phpinfo output if phpMyAdmin was enabled to show it. (CVE-2010-4481

[scottwilkerson]

We do not use phpmyadmin, that file is just part of nmap.

As for updating to php 5.6, yes you can do that the process would go something like this:


How to install PHP 5.6 on XI 5.4.9+
===================================
1. MUST HAVE CLEAN INSTALL OF XI 5.4.9+ ON CLEAN MACHINE
----------
2. Install new PHP version
- Install webtatic repo (example below is for CentOS/RHEL 7)

Code: Select all

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
	rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

- Remove PHP 5.x (this will remove ssh2, pear, pecl, HTML_Template_IT, and nagiosxi-deps, this is OK!)

Code: Select all

yum remove -y php*

- Install PHP 5.6

Code: Select all

yum install -y php56w php56w-cli php56w-common php56w-mysql php56w-pdo php56w-devel php56w-mbstring php56w-snmp php56w-snmp php56w-ldap php56w-gd php56w-xml php56w-mysql php56w-mcrypt php56w-process php56w-mssql php56w-pear

- Remove old SG loader file

Code: Select all

rm -rf /usr/lib64/php/modules/ixed.5.4.lin

- Copy new SG loader file

Code: Select all

cd /tmp/nagiosxi/sourceguardian
unzip ixed4.lin.x86-64.zip
cp ixed.5.6.lin /usr/lib64/php/modules

- Upadate SG version in SG ini file

Code: Select all

sed -i "s/5.4/5.6/" /etc/php.d/sourceguardian.ini

- Set PHP timezone (we just use US/Central in the example)

Code: Select all

sed -i "s/;date.timezone.*/date.timezone = US\/Central/" /etc/php.ini

- Restart Apache

Code: Select all

service httpd restart

----------
3. Make sure pear dependencies are installed
- Must install ssh2 (either using pecl or by using php<version>-pecl-ssh2 if available)
(NOTE: Run each command separately one at a time)

Code: Select all

yum install -y libssh2-devel
pecl install ssh2
echo "extension=ssh2.so" > /etc/php.d/ssh2.ini

- Must install HTML_Template_IT from pear

Code: Select all

pear install HTML_Template_IT

- You must restart apache again

Code: Select all

service httpd restart

[myou]

Can you clarify why the direction to use webtatic.rpm? "rpm -Uvh https://mirror.webtatic.com/yum/el7/web ... elease.rpm" I would assume this was just a sample of a couple different sources for RPMS. The satellite subscrition has Red Hat Software Collections (RHEL 7 Server x86_64) and provides rh-php56.

[myou]

Please provide more detail on step 1. MUST HAVE CLEAN INSTALL OF XI 5.4.9+ ON CLEAN MACHINE

What do you mean CLEAN machine? Am I to read into this that I will need to do a database/configuation dump, Remove NagiosXI installation. Remove php-5.4*. Install php-5.6. install NagiosX1, then import of old nagios monitoring information?

[myou]

Another question. I am guessing I need to do a config export versus and backup/restore to repopulate NagiosXi after the clean install of NagiosXi. I found this doc https://assets.nagios.com/downloads/nag ... tabase.pdf

[scottwilkerson]

Please provide more detail on step 1. MUST HAVE CLEAN INSTALL OF XI 5.4.9+ ON CLEAN MACHINE

What do you mean CLEAN machine? Am I to read into this that I will need to do a database/configuation dump, Remove NagiosXI installation. Remove php-5.4*. Install php-5.6. install NagiosX1, then import of old nagios monitoring information?

This really just means it is version 5.4.9+ of XI as well as configuration already applys properly and there are no database errors.

Another question. I am guessing I need to do a config export versus and backup/restore to repopulate NagiosXi after the clean install of NagiosXi. I found this doc https://assets.nagios.com/downloads/nag ... tabase.pdf

This is not necessary, you can just perform the upgrade. I would take a normal backup and if it is a VM, a snapshot that you could roll back to if you have issues

[myou]

Thanks for the quick responses. Can you clarify what is going to happens when our license expires? There is some slowness internally to getting the license renewed.

[scottwilkerson]

Thanks for the quick responses. Can you clarify what is going to happens when our license expires? There is some slowness internally to getting the license renewed.

You XI server will still function but you would not be able to upgrade or access customer support or open tickets.