Hello,
I have been getting alerts about the following on the Nagios server as they are all of versions with vulnerabilities in my current NagiosXI 2024R1.1.4 version. I wanted to find out how best to get these updated. I have been maintaining the latest versions of Nagios XI.
CVE ID:
CVE-2022-2068
CVE-2022-1292
CVE-2017-9788
CVE-2022-31813
CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30556
Help needed to fix vulnerabilities
Re: Help needed to fix vulnerabilities
Hello @it_support,
It looks to me like you just need to update your OpenSSL and Apache versions. Have you tried yum/dnf/apt update/upgrade?
What OS are you running?
It's possible that your OS does not support the newer versions of OpenSSL and Apache, in which case you will need to either figure out a way to update them or migrate to a newer OS.
It looks to me like you just need to update your OpenSSL and Apache versions. Have you tried yum/dnf/apt update/upgrade?
What OS are you running?
It's possible that your OS does not support the newer versions of OpenSSL and Apache, in which case you will need to either figure out a way to update them or migrate to a newer OS.
Actively advancing awesome answers with ardent alliteration, aptly addressing all ambiguities. Amplify your acumen and avail our amicable assistance. Eagerly awaiting your astute assessments of our advice.
-
DoubleDoubleA
- Posts: 273
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Help needed to fix vulnerabilities
Hi @it_support,
To add context to @bbahn 's response, XI relies on OpenSSL and Apache (and other packages), and in the installation step installs required packages if they are not already present. But it happens that your Linux distribution is in charge of what versions those are, we don't pin to specific versions on those packages.
In the Nagios XI upgrade script, we update XI code, but we don't do anything about updating your system packages like OpenSSL and Apache. This is intentional, based on the feedback that many (though not all) admins prefer to be in charge of system package updates. This approach does leave the updating system packages task to admins outside the XI update process.
Please let us know if you need anything more on this.
Thanks,
Aaron
To add context to @bbahn 's response, XI relies on OpenSSL and Apache (and other packages), and in the installation step installs required packages if they are not already present. But it happens that your Linux distribution is in charge of what versions those are, we don't pin to specific versions on those packages.
In the Nagios XI upgrade script, we update XI code, but we don't do anything about updating your system packages like OpenSSL and Apache. This is intentional, based on the feedback that many (though not all) admins prefer to be in charge of system package updates. This approach does leave the updating system packages task to admins outside the XI update process.
Please let us know if you need anything more on this.
Thanks,
Aaron
-
it support
- Posts: 2
- Joined: Wed Apr 07, 2021 5:38 am
Re: Help needed to fix vulnerabilities
My NagiOS using below OS and apache/OpenSSL
OS: CentOS Linux release 7.9.2009 (Core)
Apache/2.4.6 (CentOS)
OpenSSL 1.0.2k-fips
OS: CentOS Linux release 7.9.2009 (Core)
Apache/2.4.6 (CentOS)
OpenSSL 1.0.2k-fips
-
DoubleDoubleA
- Posts: 273
- Joined: Thu Feb 09, 2017 5:07 pm
Re: Help needed to fix vulnerabilities
Hi @it_support,
Thanks for the information.
CentOS 7 is a popular distro. It is also now out of support, so while you may be able to resolve these issues, it is likely to be a security challenge going forward. It may be useful for you to move to CentOS Stream 9 or another distro. Here is a doc on best practices for moving distros/versions https://nagios.force.com/support/s/arti ... -Nagios-XI .
As for the vulnerabilities, definitely your OpenSSL and Apache versions are vulnerable to the listed issues. You would need to upgrade those packages to a later version, which may or may not be simple or possible on your distro.
In any case, your security challenge is a systems administration issue on the server where your Nagios runs, and not strictly a Nagios issue. I would encourage you to use your preferred search engine to investigate the specific issues and compare versions to what you have, and then investigate whether you can upgrade package versions sufficiently on CentOS 7 or whether it may be advisable to move to a new distro.
Aaron
Thanks for the information.
CentOS 7 is a popular distro. It is also now out of support, so while you may be able to resolve these issues, it is likely to be a security challenge going forward. It may be useful for you to move to CentOS Stream 9 or another distro. Here is a doc on best practices for moving distros/versions https://nagios.force.com/support/s/arti ... -Nagios-XI .
As for the vulnerabilities, definitely your OpenSSL and Apache versions are vulnerable to the listed issues. You would need to upgrade those packages to a later version, which may or may not be simple or possible on your distro.
In any case, your security challenge is a systems administration issue on the server where your Nagios runs, and not strictly a Nagios issue. I would encourage you to use your preferred search engine to investigate the specific issues and compare versions to what you have, and then investigate whether you can upgrade package versions sufficiently on CentOS 7 or whether it may be advisable to move to a new distro.
Aaron