Page 1 of 1
Nagios XI log4 native use?
Posted: Sat Dec 11, 2021 10:00 am
by mrjsokol
Good morning,
Does the nagios XI product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team.
Thank you,
Joseph S.
Re: Nagios XI log4 native use?
Posted: Sun Dec 12, 2021 8:06 am
by rbernaert
Would like to know also
Re: Nagios XI log4 native use?
Posted: Sun Dec 12, 2021 9:52 am
by steph007
I have the same question
Re: Nagios XI log4 native use?
Posted: Sun Dec 12, 2021 7:40 pm
by TethiS
Hi,
I get the same question from the customers. Would help to know if product are impacted and if there's a patch to apply.
Thanks!
Re: Nagios XI log4 native use?
Posted: Mon Dec 13, 2021 4:55 am
by vrtwente
Same here, when I run a detection script, it states that package liblog-log4perl-perl 1.50-1 should be checked.
Re: Nagios XI log4 native use?
Posted: Mon Dec 13, 2021 11:31 am
by veehexx
cant say i'm familiar with the CVE to know 100% but from what i can tell then it's a simple case of updating your log4j package to >=2.15.0.
my nagios server (pre-built hyperV VM image iirc) doesnt have log4j installed via yum so based on that, i'm in the clear.
Code: Select all
yum list installed | grep -i log4j
would definately be nice to get the devs input to be 100%.
Re: Nagios XI log4 native use?
Posted: Mon Dec 13, 2021 3:55 pm
by benjaminsmith
Hi Joseph,
Does the nagios XI product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team
Thanks for reaching out on this issue. It's a java application and on a clean, default installation of Nagios XI, we would not have any java based packages installed in Nagios XI.
Here is my reply from an earlier thread with more information that references all of our products.
Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.
We have updated our company blog with important information on this issue.
https://www.nagios.com/news/2021/12/upd ... erability/
While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.
Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.
As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.
If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.
https://www.nagios.com/products/security/
Regards,
Benjamin