NagiosXI SQL injection vulnerability

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
Locked
markmerchant
Posts: 65
Joined: Tue Oct 17, 2017 8:38 am

NagiosXI SQL injection vulnerability

Post by markmerchant »

Code: Select all

Version
    NagiosXI: Nagios XI 5.5.11
    uname -a: Linux cvglqnagios01.td.afg 3.10.0-957.5.1.el7.x86_64 #1 SMP Wed Dec 19 10:46:58 EST 2018 x86_64 x86_64 x86_64 GNU/Linux

Problem
    After upgrading Nagios XI to 5.5.11 we received notice from our Qualys team
    that the server is still vulnerable to CVE-2018-10738, CVE-2018-10737,
    CVE-2018-10736, and/or CVE-2018-10735.

Suggested solution
    They are advising that we create the following file and add a stanza. Is
    this a supported fix? Thx.

    /etc/httpd/conf.d/nagiosql.conf
        Alias /nagiosql "/var/www/html/nagiosql"

        <Directory "/var/www/html/nagiosql">
           Options None
           AllowOverride None
           Order deny,allow
           Deny from all
        </Directory>
Top
markmerchant
Posts: 65
Joined: Tue Oct 17, 2017 8:38 am

Re: NagiosXI SQL injection vulnerability

Post by markmerchant »

Looks like this is some sort of addon to our original Nagios installation left over from about 2012.

I am going to delete the directory and see what happens.
Top
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:
Contact scottwilkerson

Re: NagiosXI SQL injection vulnerability

Post by scottwilkerson »

markmerchant wrote:Looks like this is some sort of addon to our original Nagios installation left over from about 2012.

I am going to delete the directory and see what happens.
that would be a correct assessment, we do not use the nagiosql directory in XI 5.5.11
Former Nagios employee
Creator:
Human Design Website
Get Your Human Design Chart
Top
Locked

Return to “Nagios XI”