required Vulnerability Fix

[[email protected]]

Hi Team,

we are getting a few Vulnerability issues in port 443 of Nagios XI,


Nagios XI SQL Injection vulnerability
SSL/TLS use of weak RC4(Arcfour) cipher
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
SSL Server Has SSLv3 Enabled Vulnerability
SSL/TLS Server supports TLSv1.0
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Signature Verification Failed Vulnerability
Sensitive form field has not disabled autocomplete
HTTP Security Header Not Detected
AutoComplete Attribute Not Disabled for Password in Form Based Authentication
Sensitive form field has not disabled autocomplete
TCP Sequence Number Approximation Based Denial of Service

Please suggest how to fix

Apache version:- Server version: Apache/2.4.6 (CentOS)
Nagios XI Version:- 5.7.5

[dchurch]

Nagios XI SQL Injection vulnerability

We won't know without more details. This would be on us to fix in our application code.

HTTP Security Header Not Detected
Sensitive form field has not disabled autocomplete
AutoComplete Attribute Not Disabled for Password in Form Based Authentication

These three are debatable as to whether or not they are actually vulnerabilities. Most sites don't disable autocomplete. (More on the security impact of autocomplete.)

I can submit a change request on your behalf if you'd like. Please keep in mind that the decision to implement the change is at the discretion of our development team.

SSL Certificate - Subject Common Name Does Not Match Server FQDN
SSL Certificate - Signature Verification Failed Vulnerability

These come from your server certificate not being valid. Since we don't supply your cert, that's not something we can fix.

SSL/TLS use of weak RC4(Arcfour) cipher
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
SSL Server Has SSLv3 Enabled Vulnerability
SSL/TLS Server supports TLSv1.0
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
TCP Sequence Number Approximation Based Denial of Service

The rest of these are likely due to an Apache configuration issue. There are numerous articles out there to guide hardening SSL settings in Apache:
- SSL/TLS Strong Encryption: How-To - Apache's own guide to SSL hardening.
- Qualys SSL tester - Gives you a grade on how secure your SSL settings and ciphers are.

Nagios XI doesn't configure SSL to run on your server due to the complexity of setting it up and getting it working right. AFAIK it doesn't touch your Apache configuration wrt SSL.

Hope this helps.

[benjaminsmith]

Hi [email protected],

I see you have an open ticket for this issue in our ticketing system, so I will be closing this thread. In the future, please open only one forum post or ticket per issue so we can best focus our efforts. Thank you!