Running Nagios Appliance and need to upgrade Apache
Running Nagios Appliance and need to upgrade Apache
Running Nagios Appliance and need to upgrade Apache 2.4.6 to 2.4.48 or the latest to fix do to CVE-2020-35452, httpd-cve-2021-26690
Re: Running Nagios Appliance and need to upgrade Apache
Hi btayl,
The version of Apache installed on your system is controlled by the operating system vendor's packaging system rather than Nagios itself. The OVA images that Nagios produces to help bootstrap the startup process use CentOS as the base operating system for the image. The initial version of CentOS may vary depending upon when the image was produced but most are running a version of CentOS7. As a result a number of the vulnerabilities that get flagged might be false positives. Redhat and CentOS maintain older versions of software and "back port" security fixes to these older versions. Security scanners often use the banner only to make a risk determination and the result is a false positive since they don't take into account (or know about) the back ported patches that have been applied . Here is a link to Redhat's explanation of this practice using PHP as an example:
https://access.redhat.com/security/updates/backporting
With that being said you should always make sure that your operating system packages are up to date to ensure that relevant vulnerabilities have been addressed. When using one of our OVA images, you will want to check the version of the OS on the image and if it is at or above CentOS 7 keep it up to date using yum. After you've ensured the system is up to date, information on back ported fixes for individual components usually can be found using tools in the packaging system. For example you can use the changelog flags to RPM to get listing of the changes that often includes CVE numbers:
With that being said if you do want to run a version of Apache httpd server outside of what is available through the operating system's packaging system Nagios XI will run, and is supported, on the following versions of PHP and Apache:
Apache: 2.2, 2.4
PHP: 5.3, 5.4, 5.5, 5.6 | 7.0, 7.1, 7.2 (XI 5.5+) | 7.3 (XI 5.6.8+) | 7.4 (XI 5.7.0+)
Thanks and Best Regards,
Keith
The version of Apache installed on your system is controlled by the operating system vendor's packaging system rather than Nagios itself. The OVA images that Nagios produces to help bootstrap the startup process use CentOS as the base operating system for the image. The initial version of CentOS may vary depending upon when the image was produced but most are running a version of CentOS7. As a result a number of the vulnerabilities that get flagged might be false positives. Redhat and CentOS maintain older versions of software and "back port" security fixes to these older versions. Security scanners often use the banner only to make a risk determination and the result is a false positive since they don't take into account (or know about) the back ported patches that have been applied . Here is a link to Redhat's explanation of this practice using PHP as an example:
https://access.redhat.com/security/updates/backporting
With that being said you should always make sure that your operating system packages are up to date to ensure that relevant vulnerabilities have been addressed. When using one of our OVA images, you will want to check the version of the OS on the image and if it is at or above CentOS 7 keep it up to date using yum. After you've ensured the system is up to date, information on back ported fixes for individual components usually can be found using tools in the packaging system. For example you can use the changelog flags to RPM to get listing of the changes that often includes CVE numbers:
Code: Select all
rpm -q --changelog httpd.x86_64 Apache: 2.2, 2.4
PHP: 5.3, 5.4, 5.5, 5.6 | 7.0, 7.1, 7.2 (XI 5.5+) | 7.3 (XI 5.6.8+) | 7.4 (XI 5.7.0+)
Thanks and Best Regards,
Keith
Re: Running Nagios Appliance and need to upgrade Apache
Kieth I have kept it up to date the appliance from nagios but according to Centos HTTPD is now out of "out of support scope" I think that is because rhel 7 says the same thing.
Do you think you will have another appliance that is running more current version of Linux ?
Do you think you will have another appliance that is running more current version of Linux ?
Re: Running Nagios Appliance and need to upgrade Apache
The appliances that we currently offer are just a minimal install of CENTOS 7 with a source install of the respective product on there for faster deployment, there aren't any real customizations done outside of the boot up screen that shows Nagios XI and the IP/URL.
I don't have an ETA on when development will update the images/QA is done testing but I assume work is in progress.
You can migrate to EL8 (or another supported distribution) via the process below:
The XI backup/restore process makes this pretty easy:
The process is this:
- Spin up new server running a latest supported distro from the XI install guide below
- Install the exact same version of XI that the old server has on the new server, no need to configure it, just install it and go through the initial setup (do not try to restore over different versions of XI you will cause issues)
https://assets.nagios.com/downloads/nag ... -Linux.pdf
- If you have a RAMDisk installed, are using RRDCacheD, or are running Mod_Gearman on the old system, set them up before restoring:
https://assets.nagios.com/downloads/nag ... giosXI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios_XI.pdf
If you are monitoring vmware/oracle you'll need to reinstall the proper supporting packages on the new server again following these guides:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
- Backup the old/transfer to new/restore to the new
- Follow the After The Restore section from the backup/restore guide completely
- Since you're changing OS versions, run the restore_repair script from the backup/restore guide
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
- (optional) - Shutdown (or re-IP) the old, set the old IP on the new system so you don't have to update agent configs/FW rules
https://support.nagios.com/kb/article/c ... s-549.html
That's pretty much it. Please be aware of what a single XI license entitles you to, that's to help with migrations like this:
https://support.nagios.com/kb/article.php?id=145
Then apply configuration and upgrade the new server to the latest XI version if your XI server isn't currently running the latest.
Thank you!
I don't have an ETA on when development will update the images/QA is done testing but I assume work is in progress.
You can migrate to EL8 (or another supported distribution) via the process below:
The XI backup/restore process makes this pretty easy:
The process is this:
- Spin up new server running a latest supported distro from the XI install guide below
- Install the exact same version of XI that the old server has on the new server, no need to configure it, just install it and go through the initial setup (do not try to restore over different versions of XI you will cause issues)
https://assets.nagios.com/downloads/nag ... -Linux.pdf
- If you have a RAMDisk installed, are using RRDCacheD, or are running Mod_Gearman on the old system, set them up before restoring:
https://assets.nagios.com/downloads/nag ... giosXI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios_XI.pdf
If you are monitoring vmware/oracle you'll need to reinstall the proper supporting packages on the new server again following these guides:
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
- Backup the old/transfer to new/restore to the new
- Follow the After The Restore section from the backup/restore guide completely
- Since you're changing OS versions, run the restore_repair script from the backup/restore guide
https://assets.nagios.com/downloads/nag ... ios-XI.pdf
- (optional) - Shutdown (or re-IP) the old, set the old IP on the new system so you don't have to update agent configs/FW rules
https://support.nagios.com/kb/article/c ... s-549.html
That's pretty much it. Please be aware of what a single XI license entitles you to, that's to help with migrations like this:
https://support.nagios.com/kb/article.php?id=145
Then apply configuration and upgrade the new server to the latest XI version if your XI server isn't currently running the latest.
Thank you!
Re: Running Nagios Appliance and need to upgrade Apache
I see you created a ticket for this, locking this thread, we will continue support through the ticket.
Thank you!
Thank you!