Page 1 of 1
nagiosxi and nagios core update
Posted: Wed Mar 21, 2018 10:26 pm
by Olin
hello ,
I has updated nagiosxi to latest version (5.4.13),and found the nagios core is 4.2.4
but we found Nagios Core creates a nagios.lock PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for nagios.lock modification before a root script executes a "kill `cat /pathname/nagios.lock`" command. (CVE-2017-12847)
and the latest nagios core version was fixed.
my question is :
1、how to update nagios core to latest version(4.3.4), and what effects might have ?
2、if can not separately upgrade nagios core , how to avoid this vulnerability ?
Re: nagiosxi and nagios core update
Posted: Thu Mar 22, 2018 11:05 am
by lmiltchev
You should be able to upgrade the Nagios Core engine in Nagios XI by following the steps below:
1. Go to the nagioscore directory, remove the old nagios core tarball, and download the latest (4.3.4):
Code: Select all
cd /tmp/nagiosxi/subcomponents/nagioscore
rm -f nagios-4.2.4.tar.gz
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz
2. open the upgrade script in a text editor, e.g. vi, and change this line:
to this:
3. Comment out line 18, so it is going to look like this:
save, and exit the file.
4. Run the upgrade script:
Important: Prior to upgrading Nagios Core in XI, do all of the necessary backups, snapshots, etc.! Each Nagios XI license is approved for up to three installations: one primary monitoring/production, one backup/failover, and one test environment. Try this on your test server prior to doing it in production!
Let us know if this helped. Thank you!
Re: nagiosxi and nagios core update
Posted: Sun Mar 25, 2018 7:47 pm
by Olin
lmiltchev wrote:You should be able to upgrade the Nagios Core engine in Nagios XI by following the steps below:
1. Go to the nagioscore directory, remove the old nagios core tarball, and download the latest (4.3.4):
Code: Select all
cd /tmp/nagiosxi/subcomponents/nagioscore
rm -f nagios-4.2.4.tar.gz
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.3.4.tar.gz
2. open the upgrade script in a text editor, e.g. vi, and change this line:
to this:
3. Comment out line 18, so it is going to look like this:
save, and exit the file.
4. Run the upgrade script:
Important: Prior to upgrading Nagios Core in XI, do all of the necessary backups, snapshots, etc.! Each Nagios XI license is approved for up to three installations: one primary monitoring/production, one backup/failover, and one test environment. Try this on your test server prior to doing it in production!
Let us know if this helped. Thank you!
yes , it's work , thanks