Hi,
I've been asked to find out if Nagios XI is affected by CVE-2021-44228 ?
Thanks,
Andy
Apache Log4J - CVE-2021-44228
-
- Posts: 121
- Joined: Tue Jan 30, 2018 3:29 am
- Location: UK
Re: Apache Log4J - CVE-2021-44228
I would also like to know the answer to this!
Re: Apache Log4J - CVE-2021-44228
Me too.
Our RHEL server running nagios does not have any log4j packages installed, so unless it is bundled deep within the nagios executables it looks ok.
Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.
Our RHEL server running nagios does not have any log4j packages installed, so unless it is bundled deep within the nagios executables it looks ok.
Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.
-
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Apache Log4J - CVE-2021-44228
Hi,
We have an update on our company website regarding the vulnerability. More information at:
https://www.nagios.com/news/2021/12/upd ... erability/
--Benjamin
That is correct, it's java based and Nagios XI does not use Java by default. We recommend reviewing your systems for any java based integrations or other software that may utilize this package.Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.
We have an update on our company website regarding the vulnerability. More information at:
https://www.nagios.com/news/2021/12/upd ... erability/
--Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: Apache Log4J - CVE-2021-44228
@benjaminsmith, Link you posted is not accessible.
Could you please check?
Michael
Could you please check?
Michael
-
- Posts: 5324
- Joined: Wed Aug 22, 2018 4:39 pm
- Location: saint paul
Re: Apache Log4J - CVE-2021-44228
Hi Michael,
My apologies, here's the link again.
https://www.nagios.com/news/2021/12/upd ... erability/
And here's the post.
Benjamin
My apologies, here's the link again.
https://www.nagios.com/news/2021/12/upd ... erability/
And here's the post.
Regards,As always, our cybersecurity, development, and testing teams here at Nagios are constantly investigating every potential and credible threat to our software. We are aware of and closely monitoring the current Apache Log4j exploit.
Currently we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228. While Nagios Core, Nagios XI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components, and includes plugins for receiving Log4j data, we don’t believe the product is vulnerable at this time.
At this time, we have not discovered any impact to Nagios XI and Nagios Network Analyzer. We are verifying whether there is any impact to Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.
If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check back here for updates. If you aren’t currently following us on Twitter, Facebook, or LinkedIn, you can follow us and get real-time updates if there is any new information to share.
In the meantime, we want to remind you that it has always been and continues to be important to not expose your instances of any of our products to the world wide web. Maintaining proper network security protocols will drastically reduce your vulnerabilities to security exploits. For more information on how to approach network security, see our article, 6 Cybersecurity Questions to Answer Before You Open Ports to the Public.
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Be sure to check out our Knowledgebase for helpful articles and solutions!