Page 1 of 1
Notifications of security fixes
Posted: Wed Jan 27, 2021 11:46 am
by hbouma
Several companies I work with will email us when security vulnerabilities are patched in a new version.
Does Nagios have this for NCPA, Nagios XI or any of the other products?
Re: Notifications of security fixes
Posted: Wed Jan 27, 2021 5:00 pm
by dchurch
If you
sign up for the Nagios newsletter it says it contains security announcements.
Otherwise, our security disclosures are put on this page:
https://www.nagios.com/products/security/
Every CVE we file goes into the NIST.gov database. They maintain data feeds that you can consume:
https://nvd.nist.gov/vuln/data-feeds
(You may even set up a Nagios server to monitor
https://www.nagios.com/products/security/ for changes.)
Re: Notifications of security fixes
Posted: Thu Jan 28, 2021 12:13 pm
by hbouma
I noticed this security page does not list anything about the NCPA agent or Nagios Fusion. How would we find out information about either of these?
Re: Notifications of security fixes
Posted: Thu Jan 28, 2021 4:59 pm
by dchurch
If there were any, they'd show up there.
There are CVEs for Fusion that we'll link to for next release, but they're not public yet.
Re: Notifications of security fixes
Posted: Fri Jan 29, 2021 10:58 am
by hbouma
So, I see an NCPA agent fix was released yesterday, including a CVE fix. However, it isn't on the
https://www.nagios.com/products/security/.
Do you happen to know why this would not be listed?
My upper management is on me at this time about making sure we keep the products up to date because of the recent hacks in the news, so a lack of notifications about this type of fix is really not great at this time.
Re: Notifications of security fixes
Posted: Fri Jan 29, 2021 3:30 pm
by dchurch
The reason that CVE-2019-8331 wasn't disclosed on
https://www.nagios.com/products/security/ is because that's only for CVE's in Nagios products. That CVE is in the Twitter Bootstrap JavaScript library.
If we had discovered that an attacker could exploit this XSS hole by specially crafting a POST or a URL to one of our products, I'm sure we'd have filed a separate CVE for it. We didn't end up doing that, probably because the XSS hole wasn't exploitable, or we sanitize the data before sending it to JavaScript, or we don't call that particular vulnerable piece of code.
As far as vulnerabilities go, XSS is usually a pretty minor one. Chrome actually detects and blocks XSS attempts by stopping JavaScript from running if it sees it in the request body. Nagios XI already protects against
outside XSS attacks coming in by requiring CSRF tokens when interacting with the Nagios XI web interface.