Hi,
We are running Nagios XI 5.6.2 and a vulnerability has been flagged up for the version of PHP that we are running.
Firstly does Nagios need PHP to be running? And if so does it support PHP version 5.6.11 onwards? Are there any known issues with upgrading PHP to the latest version? Version 7.3.8 looks to be the latest version.
Thanks.
PHP vulnerability.
-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: PHP vulnerability.
Hello @ppalmer,
Nagios XI will need php installed on the server to run , and we support the following versions 5.3, 5.4, 5.5, 5.6 | 7.0, 7.1, 7.2 (XI 5.5+).
We here at Nagios Enterprises don't choose which versions of packages such as PHP or Apache to install. Those decisions are made by the operating system vendor. Ie; RHEL or CentOS.
To mitigate security vulnerabilities while avoiding backward compatibility issues, RHEL, and by extension CentOS uses a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16. A security audit that checks only the version numbers of installed packages does not take this process into account.
It's possible to upgrade, but the trade-off is that you'll be adding additional repos to your instillation and you may run into issues with upgrades as we develop and test on the base installations provided by the operating system vendor. You also have the option of migrating to another distribution such as Ubuntu Server which installs PHP 7.x.
See: Backporting Security Fixes
Let me know if you have any further questions.
Nagios XI will need php installed on the server to run , and we support the following versions 5.3, 5.4, 5.5, 5.6 | 7.0, 7.1, 7.2 (XI 5.5+).
We here at Nagios Enterprises don't choose which versions of packages such as PHP or Apache to install. Those decisions are made by the operating system vendor. Ie; RHEL or CentOS.
To mitigate security vulnerabilities while avoiding backward compatibility issues, RHEL, and by extension CentOS uses a process known as backporting. Here's how it works: RHEL patches the supported versions of these packages with the security fixes from the newer versions of these packages. For example, they will take the code from say PHP 7.2 and apply the security vulnerability fixes from that version to the shipped version, in the case of RHEL 7, PHP 5.4.16. A security audit that checks only the version numbers of installed packages does not take this process into account.
It's possible to upgrade, but the trade-off is that you'll be adding additional repos to your instillation and you may run into issues with upgrades as we develop and test on the base installations provided by the operating system vendor. You also have the option of migrating to another distribution such as Ubuntu Server which installs PHP 7.x.
See: Backporting Security Fixes
Let me know if you have any further questions.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: PHP vulnerability.
To piggy back on @benjaminsmith's comment, Nagios doesn't install any specific version of anything. It relies solely on the repositories set up on your machine. So you can really get in to trouble if they're not set right. Case in point, one of our customers somehow had 32-bit glibc libraries installed on a 64-bit machine that caused the Nagios XI install (yes, the install!) to fail miserably. Took a long time to track down the fact that they'd copied repos from vendor to a local storage but got the directory structure wrong and were distributing the wrong things to lots of their machines.
So again, repos need to be correct. If you have a repo that has a properly patched PHP in it, then you don't need to worry. However, you may want to "yum upgrade" or "apt-get update && apt-get upgrade" at your leisure to make sure you have the latest of what your system uses.
/
So again, repos need to be correct. If you have a repo that has a properly patched PHP in it, then you don't need to worry. However, you may want to "yum upgrade" or "apt-get update && apt-get upgrade" at your leisure to make sure you have the latest of what your system uses.
/
Last edited by eloyd on Fri Aug 23, 2019 9:19 am, edited 1 time in total.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
Re: PHP vulnerability.
@ppalmer, let us know if you have any further questions. Thank you!
Be sure to check out our Knowledgebase for helpful articles and solutions!