Nagios Support Forum

Log4j is a Java system and Nagios is based on PHP so from that I'm also assuming it is ok. It would be good to have official confirmation and we can all tick it off as one less thing to worry about.

As always, our cybersecurity, development, and testing teams here at Nagios are constantly investigating every potential and credible threat to our software. We are aware of and closely monitoring the current Apache Log4j exploit.

Currently we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228. While Nagios Core, Nagios XI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components, and includes plugins for receiving Log4j data, we don’t believe the product is vulnerable at this time.

At this time, we have not discovered any impact to Nagios XI and Nagios Network Analyzer. We are verifying whether there is any impact to Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check back here for updates. If you aren’t currently following us on Twitter, Facebook, or LinkedIn, you can follow us and get real-time updates if there is any new information to share.

In the meantime, we want to remind you that it has always been and continues to be important to not expose your instances of any of our products to the world wide web. Maintaining proper network security protocols will drastically reduce your vulnerabilities to security exploits. For more information on how to approach network security, see our article, 6 Cybersecurity Questions to Answer Before You Open Ports to the Public.