Page 1 of 1
251 PHP and Apache vulnerabilities in recent Nagios XI
Posted: Thu May 23, 2019 12:28 pm
by dlukinski
Hi
We've inquired about Nagios XI VM (created by Nagios) having many PHP and Apache vulnerabilities
Now, we've installed the most recent CentOS and XI 5.6.2 and re-scanned this install for vulnerabilities
251 PHP and Apache vulnerabilities were listed.
What could be done about this very long list?
- clearly insecure and for a long while
List attached
Re: 251 PHP and Apache vulnerabilities in recent Nagios XI
Posted: Thu May 23, 2019 12:56 pm
by SteveBeauchemin
I also looked in to this because we harden and patch our servers regularly.
There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.
CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/
I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.
Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.
Just FYI...
Steve B
Re: 251 PHP and Apache vulnerabilities in recent Nagios XI
Posted: Thu May 23, 2019 1:10 pm
by scottwilkerson
SteveBeauchemin wrote:I also looked in to this because we harden and patch our servers regularly.
There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.
CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/
I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.
Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.
Just FYI...
Steve B
Thanks Steve, you are in fact correct, this scan had to be done with software that just simply determines that php < 5.6 is vulnerable, which isn't really the case, all these CVE's have been backported and if the php version on your system is up to date and you are running an OS that isn't EOL you should be fine.
These CVE's are not Nagios specific, just OS/php/httpd specific.
An update will get the patched version but your scanner likely will still report the same thing
Re: 251 PHP and Apache vulnerabilities in recent Nagios XI
Posted: Thu May 30, 2019 2:54 pm
by dlukinski
scottwilkerson wrote:SteveBeauchemin wrote:I also looked in to this because we harden and patch our servers regularly.
There is a basic problem with most vulnerability scanners. They don't scan anything. They just look at the OS version and the App version and then do a lookup in their database. They do not take into account that the backporting of those apps could have taken care of the issues already.
CentOS is a Red Hat system with the branding removed. This might be interesting for you to read. Very short...
https://access.redhat.com/security/updates/backporting/
I brought this up to my security people and Unix Administrators and they educated me and lowered my blood pressure.
Turns out that the version numbers of these programs are not enough information to decide if the code is good or bad. Some vendors actually use the CVE information, research, and implement the code fixes in their older versions. This surprised me as I have never considered that the version from one source would be different from the same version acquired elsewhere.
Just FYI...
Steve B
Thanks Steve, you are in fact correct, this scan had to be done with software that just simply determines that php < 5.6 is vulnerable, which isn't really the case, all these CVE's have been backported and if the php version on your system is up to date and you are running an OS that isn't EOL you should be fine.
These CVE's are not Nagios specific, just OS/php/httpd specific.
An update will get the patched version but your scanner likely will still report the same thing
Thank you for confirming Nagios Support and Development take on PHP & Apache vulnerabilities
- we could close this topic now