251 PHP and Apache vulnerabilities in recent Nagios XI

[dlukinski]

Hi

We've inquired about Nagios XI VM (created by Nagios) having many PHP and Apache vulnerabilities
Now, we've installed the most recent CentOS and XI 5.6.2 and re-scanned this install for vulnerabilities

251 PHP and Apache vulnerabilities were listed.

What could be done about this very long list?
- clearly insecure and for a long while

List attached

[SteveBeauchemin]

I also looked in to this because we harden and patch our servers regularly.

There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.

CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/

I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.

Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.

Just FYI...

Steve B

[scottwilkerson]

I also looked in to this because we harden and patch our servers regularly.

There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.

CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/

I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.

Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.

Just FYI...

Steve B

Thanks Steve, you are in fact correct, this scan had to be done with software that just simply determines that php < 5.6 is vulnerable, which isn't really the case, all these CVE's have been backported and if the php version on your system is up to date and you are running an OS that isn't EOL you should be fine.

These CVE's are not Nagios specific, just OS/php/httpd specific.

An update will get the patched version but your scanner likely will still report the same thing

Code: Select all

yum update

[dlukinski]

I also looked in to this because we harden and patch our servers regularly.

There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.

CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/

I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.

Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.

Just FYI...

Steve B

Thanks Steve, you are in fact correct, this scan had to be done with software that just simply determines that php < 5.6 is vulnerable, which isn't really the case, all these CVE's have been backported and if the php version on your system is up to date and you are running an OS that isn't EOL you should be fine.

These CVE's are not Nagios specific, just OS/php/httpd specific.

An update will get the patched version but your scanner likely will still report the same thing

Code: Select all

yum update

Thank you for confirming Nagios Support and Development take on PHP & Apache vulnerabilities
- we could close this topic now