Good morning,
Does the nagios XI product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team.
Thank you,
Joseph S.
Nagios XI log4 native use?
Re: Nagios XI log4 native use?
Would like to know also
Re: Nagios XI log4 native use?
I have the same question
Re: Nagios XI log4 native use?
Hi,
I get the same question from the customers. Would help to know if product are impacted and if there's a patch to apply.
Thanks!
I get the same question from the customers. Would help to know if product are impacted and if there's a patch to apply.
Thanks!
Re: Nagios XI log4 native use?
Same here, when I run a detection script, it states that package liblog-log4perl-perl 1.50-1 should be checked.
Re: Nagios XI log4 native use?
cant say i'm familiar with the CVE to know 100% but from what i can tell then it's a simple case of updating your log4j package to >=2.15.0.
my nagios server (pre-built hyperV VM image iirc) doesnt have log4j installed via yum so based on that, i'm in the clear.
would definately be nice to get the devs input to be 100%.
my nagios server (pre-built hyperV VM image iirc) doesnt have log4j installed via yum so based on that, i'm in the clear.
Code: Select all
yum list installed | grep -i log4j-
benjaminsmith
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Nagios XI log4 native use?
Hi Joseph,
Here is my reply from an earlier thread with more information that references all of our products.
Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.
We have updated our company blog with important information on this issue.
https://www.nagios.com/news/2021/12/upd ... erability/
While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.
Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.
As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.
If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.
https://www.nagios.com/products/security/
Regards,
Benjamin
Thanks for reaching out on this issue. It's a java application and on a clean, default installation of Nagios XI, we would not have any java based packages installed in Nagios XI.Does the nagios XI product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team
Here is my reply from an earlier thread with more information that references all of our products.
Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.
We have updated our company blog with important information on this issue.
https://www.nagios.com/news/2021/12/upd ... erability/
While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.
Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.
As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.
If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.
https://www.nagios.com/products/security/
Regards,
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!