Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Nagios XI is marked as insecure

https://support.nagios.com/forum/viewtopic.php?t=55915

Page 1 of 1

Nagios XI is marked as insecure

Posted: Tue Oct 08, 2019 4:37 am
by wagnbeu0
our current installation of Nagios XI 5.6.7 is marked as insecure:

jQuery Prior to 3.4.0 Cross-Site Scripting Vulnerability


Are there any plans to upgrade jQuery?

Re: Nagios XI is marked as insecure

Posted: Tue Oct 08, 2019 10:59 am
by benjaminsmith
Hello @wagnbeu0,

We generally don't immediately upgrade jQuery to ensure compatibility with older browsers. If you have any specifics as to which vulnerability in jQuery for the development team that would be appreciated.

That said, we're planning to upgrade this in the next release assuming we don't experience any issues in QA.

Let us know if you have any questions.

Re: Nagios XI is marked as insecure

Posted: Tue Oct 08, 2019 11:20 am
by ssax
Hello,

Thanks for reporting this, the developers will need to upgrade/patch the version we include to resolve this, they expect it to be included in the next release of XI, both the 1.12.4 and 3.3.1 versions should be patched.

I've submitted this to [email protected] on your behalf, please send future vulnerability discoveries to [email protected] as per the below process:

Reporting Security Vulnerabilities
At Nagios, we make security a priority. We strive to patch any security issues in a timely manner. We highly recommend using the latest versions available of our software. The latest versions will include security fixes that remediate the vulnerabilites shown below.

Please send security vulnerabilities found in any of the Nagios commercial products and security related emails to [email protected]. All non-security related bug reports should be given through a Support Ticket or through a post on the Support Forum.
Taken from here:

https://www.nagios.com/products/security/


You can technically patch it via these commands:
*** NOTE: This github repo was linked to here: https://bugzilla.redhat.com/show_bug.cgi?id=1701972
It is up to you whether you follow these instructions (trusting the repository and author) or whether you implement the patches yourself ***

Code: Select all

cd /tmp
wget https://raw.githubusercontent.com/DanielRuf/snyk-js-jquery-174006/master/jquery-1.12.4.min.patch
wget https://raw.githubusercontent.com/DanielRuf/snyk-js-jquery-174006/master/jquery-3.3.1.min.patch
patch -p1 /usr/local/nagiosxi/html/includes/js/jquery/jquery-1.12.4.min.js jquery-1.12.4.min.patch
patch -p1 /usr/local/nagiosxi/html/includes/js/jquery/jquery-3.3.1.min.js jquery-3.3.1.min.patch
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited