Nagios Support Forum

Hello,

We have latest Nagios XI 5.4.5 running on Red Hat Enterprise Linux Server release 7.3 (Maipo).
Our security team reported the following result of potential vulnerabilities:

"OpenSSL Weak RSA Key Exchange Vulnerability"
"OpenSSL BASE64 Decode Interger Underflow Vulnerability"
"OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20150319)"
"Potential Vulnerability - level 4 123407 OpenSSL Weak RSA Key Exchange Vulnerability"
"OpenSSL BASE64 Decode Interger Underflow Vulnerability"
"OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20150319)"
"OpenSSL Diffie-Hellman Weak Encryption Vulnerability (Logjam)"
"OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20160128)"
"PHP Prior to 5.4.32/5.5.16 Multiple Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities (GHOST)"
"PHP Prior to 5.6.8/5.5.24/5.4.40 Multiple Remote Code Execution Vulnerabilities"
"PHP Versions Prior to 5.6.9/5.5.25/5.4.41 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.10/5.5.26/5.4.42 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.2/5.5.18/5.4.34 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.7/5.5.23/5.4.39 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.12/5.5.28/5.4.44 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.13/5.5.29/5.4.45 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.10 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities"
"PHP Prior to 5.4.32/5.5.16 Multiple Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities (GHOST)"
"PHP Prior to 5.6.8/5.5.24/5.4.40 Multiple Remote Code Execution Vulnerabilities"
"PHP Versions Prior to 5.6.9/5.5.25/5.4.41 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.10/5.5.26/5.4.42 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.2/5.5.18/5.4.34 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.7/5.5.23/5.4.39 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.12/5.5.28/5.4.44 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.13/5.5.29/5.4.45 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.10 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities"
"OpenSSL Diffie-Hellman Weak Encryption Vulnerability (Logjam)"
"OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20160128)"
"PHP Prior to 5.4.32/5.5.16 Multiple Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities (GHOST)"
"PHP Prior to 5.6.8/5.5.24/5.4.40 Multiple Remote Code Execution Vulnerabilities"
"PHP Versions Prior to 5.6.9/5.5.25/5.4.41 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.10/5.5.26/5.4.42 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.2/5.5.18/5.4.34 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.7/5.5.23/5.4.39 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.12/5.5.28/5.4.44 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.13/5.5.29/5.4.45 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.10 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities"
"PHP Prior to 5.4.32/5.5.16 Multiple Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities"
"PHP Multiple Remote Code Execution Vulnerabilities (GHOST)"
"PHP Prior to 5.6.8/5.5.24/5.4.40 Multiple Remote Code Execution Vulnerabilities"
"PHP Versions Prior to 5.6.9/5.5.25/5.4.41 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.10/5.5.26/5.4.42 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.2/5.5.18/5.4.34 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.7/5.5.23/5.4.39 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.12/5.5.28/5.4.44 Multiple Vulnerabilities"
"PHP Versions Prior to 5.6.13/5.5.29/5.4.45 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.10 Multiple Vulnerabilities"
"Apache HTTP Server Prior to 2.4.12 Multiple Vulnerabilities"

I noticed that php version which is deployed using Naxios XI install script is 5.4.16.

[lxadmin@ymq-lpnagapp1 lxadmin]$ php -v
PHP 5.4.16 (cli) (built: Aug 5 2016 07:50:38)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
[lxadmin@ymq-lpnagapp1 castroi]$

Could you please assess on the potential vulnerabilities ?

thank you,

The php version is what is in the base repositories. These usually stay static as far as minor release but have security vulnerabilities patch by package maintainers.

None of those seem to be related to the Nagios software itself, but rather to the PHP and Apache versions, and the strength of the SSL certificate in place. As of XI 5.4.5, the supported versions are PHP 7.0 and Apache 2.4. The SSL certificate you will need to do some research on according to your organization's needs, but this article is pretty comprehensive: https://github.com/ssllabs/research/wik ... -Practices

Hello,

I have upgraded to php 7 as mentioned to remove the vulnerabilities but Nagios XI stopped working.
I have added ixed.7.1.lin as displayed in directory mentioned.

[castroi@ymq-lpnagapp1 ~]$ sudo cat /etc/php.ini | grep ixe
extension=ixed.7.1.lin
[castroi@ymq-lpnagapp1 ~]$

I got following error:

This page isn’t working

ymq-lpnagapp1 is currently unable to handle this request.
HTTP ERROR 500

Could you please assist?
thank you

castroi wrote: I have added ixed.7.1.lin as displayed in directory mentioned.

[castroi@ymq-lpnagapp1 ~]$ sudo cat /etc/php.ini | grep ixe
extension=ixed.7.1.lin

7.0 is supported, not 7.1. Did you install 7.0? If so, you'll need to use ixed.7.0.lin

In addition to what dwhitfield said, the sourceguardian setting usually in not in the /etc/php.ini file but the /etc/php.d/sourceguardian.ini file.
Remove the line from the php.ini file and update the /etc/php.d/sourceguardian.ini instead if it exists.

Hello,

Thank you so we have removed 7.1 and installed 7.0 as mentioned.

[castroi@ymq-lpnagapp1 ~]$ php -v
PHP 7.0.20 (cli) (built: Jun 7 2017 07:50:14) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
[castroi@ymq-lpnagapp1 ~]$

I have now also updated the file /etc/php.d/sourceguardian.ini only:
[root@ymq-lpnagapp1 nagiosxi]# cat /etc/php.d/sourceguardian.ini
extension=ixed.7.0.lin
[root@ymq-lpnagapp1 nagiosxi]#


I have still same error

This page isn’t working

ymq-lpnagapp1.corp.ad.iata.org is currently unable to handle this request.
HTTP ERROR 500

Hello,

Notice that main home page is working but when i click on "Access Nagios XI" button and is redirected to "http://server-name/nagiosxi/" or "https://server-name/nagiosxi/" it got the error page with :

This page isn’t working

server-name is currently unable to handle this request.
HTTP ERROR 500

Could you please assist on what is required ?

thank you

Hello,

I have made temporary a phpinfo(); script and attached the result.

here is also the output from apache logs:
[castroi@ymq-lpnagapp1 ~]$ sudo tail /var/log/httpd/error_log
[Wed Jun 21 22:16:39.487662 2017] [lbmethod_heartbeat:notice] [pid 25956] AH02282: No slotmem from mod_heartmonitor
[Wed Jun 21 22:16:39.499871 2017] [mpm_prefork:notice] [pid 25956] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips PHP/7.0.20 configured -- resuming normal operations
[Wed Jun 21 22:16:39.499899 2017] [core:notice] [pid 25956] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Jun 21 22:17:49.713636 2017] [mpm_prefork:notice] [pid 25956] AH00170: caught SIGWINCH, shutting down gracefully
[Wed Jun 21 22:17:50.774239 2017] [suexec:notice] [pid 51577] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jun 21 22:17:50.803004 2017] [auth_digest:notice] [pid 51577] AH01757: generating secret for digest authentication ...
[Wed Jun 21 22:17:50.803663 2017] [lbmethod_heartbeat:notice] [pid 51577] AH02282: No slotmem from mod_heartmonitor
[Wed Jun 21 22:17:50.816344 2017] [mpm_prefork:notice] [pid 51577] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips PHP/7.0.20 configured -- resuming normal operations
[Wed Jun 21 22:17:50.816383 2017] [core:notice] [pid 51577] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Wed Jun 21 22:23:58.898220 2017] [:error] [pid 40296] [client 10.59.130.111:13247] script '/var/www/html/test.php' not found or unable to stat
[castroi@ymq-lpnagapp1 ~]$

Kindly advise on next steps.

thank you,

Hello,

We have reverted to php 5.4 for time being.
Please provide proper instruction or script to install Nagios xi with php 7.0 on red hat 7.3.
It is currently problematic.

Thank you,