Page 1 of 1
Reported Nagios exploit: CVE-2016-9565
Posted: Thu Dec 15, 2016 12:24 pm
by jwelch
Has anyone heard of this exploit? Our Security team emailed me about it, but I'm having trouble getting credible information on it.
I looked in the XI release notes, but it doesn't look like CVEs are listed in the release notes.
This is what I found via Google:
http://www.cve.mitre.org/cgi-bin/cvenam ... -2016-9565
https://legalhackers.com/advisories/Nag ... -4796.html
Re: Reported Nagios exploit: CVE-2016-9565
Posted: Thu Dec 15, 2016 12:41 pm
by dwhitfield
4.2.2 - 2016-10-24
------------------
SECURITY FIXES
* There was a fix to vulnerability CVE-2008-4796 in the 4.2.0 release on
August 1, 2016. The fix was apparently incomplete, as there was still a
problem. However, we are now getting all RSS feeds using AJAX calls
instead of the (outdated) MagpieRSS package. Thanks for bringing this to
our attention go to Dawid Golunski (
http://legalhackers.com).
From
https://github.com/NagiosEnterprises/na ... /Changelog
You'll see that the 2008 CVE is mentioned in the legalhackers.com post to which you linked. My apologies for the ambiguous changelog.
Core will be getting an update in 5.4:
https://www.nagios.com/roadmaps/
The upgrades of Core from within XI are not straightforward and are unsupported. They are known to be particularly difficult on Cent 6. Cent 7 works better, but again, the upgrade is unsupported.
If waiting until 5.4 is not going to work for you, we can further discuss options.
Re: Reported Nagios exploit: CVE-2016-9565
Posted: Wed Jan 04, 2017 12:43 pm
by jwelch
Updated to 5.4.0.
I assume that the issue is resolved.
Thanks.
Re: Reported Nagios exploit: CVE-2016-9565
Posted: Wed Jan 04, 2017 12:47 pm
by dwhitfield
Indeed. Ready to lock it up?
Re: Reported Nagios exploit: CVE-2016-9565
Posted: Wed Jan 04, 2017 1:36 pm
by jwelch
yes