CVE-2021-44228

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
daniel.ledford
Posts: 19
Joined: Wed Jan 20, 2016 9:03 am

Re: CVE-2021-44228

Post by daniel.ledford »

I would also like to know as well.
Thanks
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: CVE-2021-44228

Post by benjaminsmith »

Hi,

Thanks for reaching out on this important issue.

Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.

We have updated our company blog with important information on this issue.

https://www.nagios.com/news/2021/12/upd ... erability/

While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.

Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.

As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.

https://www.nagios.com/products/security

Regards,
Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
vconnected
Posts: 7
Joined: Tue May 19, 2015 8:18 am

Re: CVE-2021-44228

Post by vconnected »

Three days ago Nagios stated that they are verifying whether there is any impact to Nagios Log Server.
A quick search in the file system indicates use of at least Log4j versions 2.0.7, 2.15 and 2.17.

Is there any definite answer yet to the question is Nagios Log Server is vulnerable?
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: CVE-2021-44228

Post by benjaminsmith »

Hi,

NLS does use log4j but it uses an older version that is not impacted - 1.2.17.jar.

Do you have any other applications installed on this server?

--Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
vconnected
Posts: 7
Joined: Tue May 19, 2015 8:18 am

Re: CVE-2021-44228

Post by vconnected »

We took the OVF from the Nagios website https://www.nagios.com/downloads/nagios ... er/vmware/
There are more Log4j versions found than just 2.17
A bit hard to read, but I see 2.0.7 used for something called logstash-input.

Code: Select all

[root@nagiosls /]# find / -name *log4j*

/usr/local/nagioslogserver/elasticsearch/lib/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/elasticsearch/lib/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-jms-1.2.0-java/test/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zk-1.9.6/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/logstash-input-log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash/inputs/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash-input-log4j_jars.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12/1.7.13/slf4j-log4j12-1.7.13.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zookeeper-1.4.11-java/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j-1.2.15.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/slyphon-log4j-1.2.15.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/logstash-input-log4j-2.0.7-java.gemspec
User avatar
swolf
Developer
Posts: 294
Joined: Tue Jun 06, 2017 9:48 am

Re: CVE-2021-44228

Post by swolf »

vconnected wrote:We took the OVF from the Nagios website https://www.nagios.com/downloads/nagios ... er/vmware/
There are more Log4j versions found than just 2.17
A bit hard to read, but I see 2.0.7 used for something called logstash-input.

Code: Select all

[root@nagiosls /]# find / -name *log4j*

/usr/local/nagioslogserver/elasticsearch/lib/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/elasticsearch/lib/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-jms-1.2.0-java/test/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zk-1.9.6/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/logstash-input-log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash/inputs/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash-input-log4j_jars.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12/1.7.13/slf4j-log4j12-1.7.13.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zookeeper-1.4.11-java/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j-1.2.15.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/slyphon-log4j-1.2.15.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/logstash-input-log4j-2.0.7-java.gemspec
Hello,

Developer here, just looking to get this straightened out. First, as Ben pointed out, we're using log4j 1.2.17 (not 2.17) as part of elasticsearch. That version is not vulnerable to the log4shell CVE.

The "2.0.7" you're seeing is a logstash input, used to read log4j logs and transfer them into elasticsearch. That code is maintained by a different organization and is also not vulnerable.

Please let us know if you have any further concerns.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy
CBoekhuis
Posts: 212
Joined: Tue Aug 16, 2011 4:55 am

Re: CVE-2021-44228

Post by CBoekhuis »

Hi swolf,

thanks for your update on this matter and good to hear that you're confident that NLS is not affected by the log4j issue.
However, is it possible to update the page https://www.nagios.com/news/2021/12/upd ... erability/ where Nagios makes a statement that NLS is not affected? At this moment the page has not been updated since 13-December and it still contains the following:
We are verifying whether there is any impact to Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.
It would really helps us if Nagios makes an official statement whether NLS is affected or not so we can relay the information back to our managers, CEO's or what ever. In the end we as administrators would like to cross off at least this one from our massive list of applications.

sincerely yours,
Hans Blom.
benjaminsmith
Posts: 5324
Joined: Wed Aug 22, 2018 4:39 pm
Location: saint paul

Re: CVE-2021-44228

Post by benjaminsmith »

Hi Hans,

Appreciate your feedback on this. I'm working with our internal teams here with an update on that information.

--Benjamin
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked