Nagios Support Forum

I would also like to know as well.
Thanks

Hi,

Thanks for reaching out on this important issue.

Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.

We have updated our company blog with important information on this issue.

https://www.nagios.com/news/2021/12/upd ... erability/

While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.

Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.

As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.

https://www.nagios.com/products/security

Regards,
Benjamin

Three days ago Nagios stated that they are verifying whether there is any impact to Nagios Log Server.
A quick search in the file system indicates use of at least Log4j versions 2.0.7, 2.15 and 2.17.

Is there any definite answer yet to the question is Nagios Log Server is vulnerable?

Hi,

NLS does use log4j but it uses an older version that is not impacted - 1.2.17.jar.

Do you have any other applications installed on this server?

--Benjamin

We took the OVF from the Nagios website https://www.nagios.com/downloads/nagios ... er/vmware/
There are more Log4j versions found than just 2.17
A bit hard to read, but I see 2.0.7 used for something called logstash-input.

vconnected wrote:We took the OVF from the Nagios website https://www.nagios.com/downloads/nagios ... er/vmware/
There are more Log4j versions found than just 2.17
A bit hard to read, but I see 2.0.7 used for something called logstash-input.

Code: Select all

[root@nagiosls /]# find / -name *log4j*

/usr/local/nagioslogserver/elasticsearch/lib/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/elasticsearch/lib/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-jms-1.2.0-java/test/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/apache-log4j-extras-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch_java-2.1.3/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.14-java/vendor/jar-dependencies/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zk-1.9.6/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/logstash-input-log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/vendor/jar-dependencies/runtime-jars/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash/inputs/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-log4j-2.0.7-java/lib/logstash-input-log4j_jars.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/org/slf4j/slf4j-log4j12/1.7.13/slf4j-log4j12-1.7.13.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-kafka-1.5.0-java/lib/log4j/log4j/1.2.17/log4j-1.2.17.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/zookeeper-1.4.11-java/spec/log4j.properties
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/log4j.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j-1.2.15.jar
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j.rb
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/slyphon-log4j-1.2.15/lib/log4j
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/slyphon-log4j-1.2.15.gemspec
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/specifications/logstash-input-log4j-2.0.7-java.gemspec

Hello,

Developer here, just looking to get this straightened out. First, as Ben pointed out, we're using log4j 1.2.17 (not 2.17) as part of elasticsearch. That version is not vulnerable to the log4shell CVE.

The "2.0.7" you're seeing is a logstash input, used to read log4j logs and transfer them into elasticsearch. That code is maintained by a different organization and is also not vulnerable.

Please let us know if you have any further concerns.

Hi swolf,

thanks for your update on this matter and good to hear that you're confident that NLS is not affected by the log4j issue.
However, is it possible to update the page https://www.nagios.com/news/2021/12/upd ... erability/ where Nagios makes a statement that NLS is not affected? At this moment the page has not been updated since 13-December and it still contains the following:

We are verifying whether there is any impact to Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.

It would really helps us if Nagios makes an official statement whether NLS is affected or not so we can relay the information back to our managers, CEO's or what ever. In the end we as administrators would like to cross off at least this one from our massive list of applications.

sincerely yours,
Hans Blom.

Hi Hans,

Appreciate your feedback on this. I'm working with our internal teams here with an update on that information.

--Benjamin