XIv5.7.2 - Jquery version 1.11.2 has cross-site script vuln

[dalston]

Trying to resolve a cross site vulnerability in NagiosXI v5.7.2-2 that our security scanner picked up on. I don't have much time to fix it.

Looks like Nagios uses several different versions of jquery. Our security scan points out that the jquery version at the following location is vulnerable to a cross-site scripting attack and recommends updating to at least v3.5.0.

http://nagios-server/nagiosxi/includes/ ... 1.2.min.js


The following forum post suggests that there are some jquery versions in "includes/js/jquery" that may not be required for most of NagiosXI's functionality.
https://support.nagios.com/forum/viewto ... 16&t=59326

What is the most expedient way to resolve this? I have just upgraded to XI v5.7.2-2 because I was told that it would resolve the cross-site vulnerability issues our scans were showing. Was this jquery version supposed to be deleted as part of the upgrade?


Here are the jquery versions I found.. no idea which ones I need and which ones I don't.

[jquery]# find /usr/local/nagiosxi/html/includes/js/jquery/ -name 'jquery-*'
/usr/local/nagiosxi/html/includes/js/jquery/jquery-3.5.1.min.js
/usr/local/nagiosxi/html/includes/js/jquery/css/smoothness/jquery-ui-1.9.0.custom.min.css
/usr/local/nagiosxi/html/includes/js/jquery/css/smoothness/jquery-ui.custom.min.css
/usr/local/nagiosxi/html/includes/js/jquery/jquery-ui-1.9.0.custom.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-1.12.4.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-migrate-3.0.0.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-ui-1.12.1.custom.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-migrate-1.2.1.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-ui-timepicker-addon.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-1.11.2.min.js
/usr/local/nagiosxi/html/includes/js/jquery/jquery-migrate-1.4.1.min.js

[jbrunkow]

Yes, Nagios XI does utilize some older jQuery versions, but only on the back end. This means that it does not pose a threat of cross site scripting attack.

If you are not planning on generating PDFs with XI, you could remove any jQuery versions older than 3.5.
jquery-3.5.1.min.js and jquery-1.12.4.min.js are the only ones that are absolutely necessary.

To do so, navigate to the directory containing the jQuery.

Code: Select all

cd /usr/local/nagiosxi/html/includes/js/jquery/

Then remove the versions that may not be necessary for you. (replacing the x in the command with the versions you wish to remove)

Code: Select all

rm -f jquery-x.x.x.min.js

[dalston]

Thanks!

I've now made the file unreadable (chmod a-rwx jquery-1.11.*). This should keep our vulnerability scans from finding it.

[jbrunkow]

Great! Gotta keep those security guys happy.

Since you've found a resolution, do you mind if I close this thread and lock it for editing?

Thanks for your participation on the Nagios forum.

[dalston]

Actually, I just found out that removing this old jquery library is insufficient. There are a number of important people who rely on the PDF report functionality.

Do you have any work-arounds available that will restore PDF reporting capabilities until the PDF generator feature is able to use a more up to date version of jquery?

[jbrunkow]

Unfortunately not. That is the way that function is currently built.

I could request that feature be rewritten to use jQuery version 3.5 or later so that it doesn't turn up on scans.

Again, this function is not outward facing, so it should not pose a threat. I believe your scan is basically returning a false positive. If there were an available exploit, I would ask you to test it against XI to prove that to your security team.

[dalston]

Since it is internal, can I adjust the filesystem permissions so that only the nagios user can read the vulnerable jquery library so that it isn't seen by the scans? Will the PDF generator still work even if it can't get to the jquery library through an http:// URL?

[jbrunkow]

You are safe to remove the jquery-1.11.2.min.js file as XI 5.7.2 does not use jquery-1.11.2.min.js anymore anywhere in the sourcecode, it uses jquery-1.12.4.min.js as long as you're on XI 5.7.2.