Apache Log4J - CVE-2021-44228

[andyb4u]

Hi,

I've been asked to find out if Nagios XI is affected by CVE-2021-44228 ?


Thanks,
Andy

[danniiffxi]

I would also like to know the answer to this!

[vconnected]

Me too!

[davehkent]

Me too.

Our RHEL server running nagios does not have any log4j packages installed, so unless it is bundled deep within the nagios executables it looks ok.

Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.

[benjaminsmith]

Hi,

Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.

That is correct, it's java based and Nagios XI does not use Java by default. We recommend reviewing your systems for any java based integrations or other software that may utilize this package.

We have an update on our company website regarding the vulnerability. More information at:

https://www.nagios.com/news/2021/12/upd ... erability/

--Benjamin

[mdernbach]

@benjaminsmith, Link you posted is not accessible.
Could you please check?

Michael

[benjaminsmith]

Hi Michael,

My apologies, here's the link again.
https://www.nagios.com/news/2021/12/upd ... erability/

And here's the post.

As always, our cybersecurity, development, and testing teams here at Nagios are constantly investigating every potential and credible threat to our software. We are aware of and closely monitoring the current Apache Log4j exploit.

Currently we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228. While Nagios Core, Nagios XI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components, and includes plugins for receiving Log4j data, we don’t believe the product is vulnerable at this time.

At this time, we have not discovered any impact to Nagios XI and Nagios Network Analyzer. We are verifying whether there is any impact to Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check back here for updates. If you aren’t currently following us on Twitter, Facebook, or LinkedIn, you can follow us and get real-time updates if there is any new information to share.

In the meantime, we want to remind you that it has always been and continues to be important to not expose your instances of any of our products to the world wide web. Maintaining proper network security protocols will drastically reduce your vulnerabilities to security exploits. For more information on how to approach network security, see our article, 6 Cybersecurity Questions to Answer Before You Open Ports to the Public.

Regards,
Benjamin