Multiple security vulnerabilities found in Nagios Log Server
Posted: Tue Feb 08, 2022 10:11 am
During our latest security scan, we got hit with several vulnerabilities that need to be resolved in order to continue using our NLS cluster:
PHP mb_send_mail() Function Parameter Security Bypass (https://www.tenable.com/plugins/nessus/17716)
JQuery 1.2 < 3.5.0 Multiple XSS (https://www.tenable.com/plugins/nessus/136929)
Apache Log4j 1.x Multiple Vulnerabilities (https://www.tenable.com/plugins/nessus/156860)
I couldn't find anything regarding the PHP sendmail in the forums, but I did find a post regarding the JQuery issue. The thread was closed almost a year ago and with basically "we have no plans to fix this". We are also still waiting to hear back on whether Log4j will be upgraded as well. While I can appreciate there are a lot of moving parts to a product like this, this is a long time to be leaving known exploited software packages in products in the wild. We need advisement whether these are on a roadmap so we can decide whether to switch to something else.
PHP mb_send_mail() Function Parameter Security Bypass (https://www.tenable.com/plugins/nessus/17716)
JQuery 1.2 < 3.5.0 Multiple XSS (https://www.tenable.com/plugins/nessus/136929)
Apache Log4j 1.x Multiple Vulnerabilities (https://www.tenable.com/plugins/nessus/156860)
I couldn't find anything regarding the PHP sendmail in the forums, but I did find a post regarding the JQuery issue. The thread was closed almost a year ago and with basically "we have no plans to fix this". We are also still waiting to hear back on whether Log4j will be upgraded as well. While I can appreciate there are a lot of moving parts to a product like this, this is a long time to be leaving known exploited software packages in products in the wild. We need advisement whether these are on a roadmap so we can decide whether to switch to something else.