Vulnerabilities Showing in Scans of NagiosXI install

[dancormack]

Hello,

I have been getting alerts about the following on the Nagios server as they are all of versions with vulnerabilities in their current versions. My impression is that these are used by Nagios and I wanted to find out how best to get these updated or if I can just remove them. I have been maintaining the latest versions of Nagios XI. If I try to remove them, they also want to remove nagiosxi-deps-el7 noarch 5.11.2-1


nmap 2:6.47-2
shellinabox 2.20-5.el7
ansible 2.9.27-1.el7

[bgelhaye]

Hello Dancormack,

Could you please provide the Linux distribution you're using?

-Brandon Gelhaye

[dancormack]

Hello,
I am running Oracle Linux Server release 7.9

[cnorell]

dancormack,

Can you provide any more context surrounding the specific vulnerabilities found? Were they linked to CVEs or was it simply noted that those packages could be vulnerable? Vague automated vulnerability scans aren't usually actionable on our end, however if you can point to a specific vulnerability, I can make sure we have an issue filed to remedy the vulnerability.

The obvious albeit not recommended solution is to update the packages manually, but we can't guarantee everything that leverages a given package will still work. If you're going to try this, absolutely make a backup first.

The shellinabox vulnerability can be mitigated by completely disabling the web terminal. You can do so by navigating to Admin > System Settings > Security > SSH Terminal and checking the "Disable the SSH Terminal web portal." box.

[dancormack]

The scans are showing the following details. The packages which are installed by Nagios XI contain old vulnerabilities and are not getting updated when I perform updates. I prefer to not run manual updates and prefer to see Nagios provide the fixes for these (part of what I pay for). These are all classified as high threats. Thank you for looking into this all!

CVE-2018-16789 -> Shellinabox - Installed version 2.20-5.el7
https://nvd.nist.gov/vuln/detail/CVE-2018-16789


CVE-2018-15173 -> Nmap - Installed version 2:6.47-2
https://nvd.nist.gov/vuln/detail/CVE-2018-15173

CVE-2022-3697 -> Ansible - Installed version 2.9.27-1.el7
https://nvd.nist.gov/vuln/detail/CVE-2022-3697

[swolf]

Hi @dancormack - thanks for reaching out.

Those are system packages, which are usually affected by Red Hat's backporting policies.

As Cory mentioned, shellinabox can be disabled in the interface. You won't be able to remove the package, as you noted (oracle 7 is too old to support weak dependencies in RPMs), but you can probably delete the binaries from your system with no adverse effects.

For nmap, Red Hat claims that their package is not affected, see https://access.redhat.com/security/cve/cve-2018-15173, and therefore hasn't patched it.

For ansible, it looks to me like the vulnerability is in a specific ec2 library, which we don't use. Red Hat hasn't patched this one.

If you absolutely need the package version numbers to be different, I would recommend migrating to a newer distribution. EL7 was released in ~2013 and we'll be dropping product support for that distribution this coming summer. Oracle 9 in particular won't install shellinabox at all, and you may have better luck with the other two packages, too.

Let me know if that helps, or if you have any further questions or concerns.