Nagios Support Forum

Hi,

There is a vulnerability discovered in April that is valid for nrpe <= 2.15 - http://seclists.org/fulldisclosure/2014/Apr/240 . But there is no release since 2013. Are there any plans to release soon a patch?

Best regards,
Nikolay

That vulnerability only affects systems in which NRPE is specifically allowed to execute commands with arbitrary arguments by enabling the "dont_blame_nrpe" flag in the configs. If those are not enabled then the system will not be vulnerable. As for a fix to those systems that do have arbitrary commands allowed, I do not have a specific timeline. The solution for now is to hard-code the commands or use another of our agents like NCPA.