Page 1 of 1
Help needed to fix vulnerabilities
Posted: Mon Jul 08, 2024 6:01 am
by it support
Hello,
I have been getting alerts about the following on the Nagios server as they are all of versions with vulnerabilities in my current NagiosXI 2024R1.1.4 version. I wanted to find out how best to get these updated. I have been maintaining the latest versions of Nagios XI.
CVE ID:
CVE-2022-2068
CVE-2022-1292
CVE-2017-9788
CVE-2022-31813
CVE-2022-28330, CVE-2022-28614, CVE-2022-28615, CVE-2022-29404, CVE-2022-30556
Re: Help needed to fix vulnerabilities
Posted: Mon Jul 08, 2024 10:36 am
by bbahn
Hello @it_support,
It looks to me like you just need to update your OpenSSL and Apache versions. Have you tried yum/dnf/apt update/upgrade?
What OS are you running?
It's possible that your OS does not support the newer versions of OpenSSL and Apache, in which case you will need to either figure out a way to update them or migrate to a newer OS.
Re: Help needed to fix vulnerabilities
Posted: Mon Jul 08, 2024 2:52 pm
by DoubleDoubleA
Hi @it_support,
To add context to @bbahn 's response, XI relies on OpenSSL and Apache (and other packages), and in the installation step installs required packages if they are not already present. But it happens that your Linux distribution is in charge of what versions those are, we don't pin to specific versions on those packages.
In the Nagios XI upgrade script, we update XI code, but we don't do anything about updating your system packages like OpenSSL and Apache. This is intentional, based on the feedback that many (though not all) admins prefer to be in charge of system package updates. This approach does leave the updating system packages task to admins outside the XI update process.
Please let us know if you need anything more on this.
Thanks,
Aaron
Re: Help needed to fix vulnerabilities
Posted: Tue Jul 09, 2024 12:49 am
by it support
My NagiOS using below OS and apache/OpenSSL
OS: CentOS Linux release 7.9.2009 (Core)
Apache/2.4.6 (CentOS)
OpenSSL 1.0.2k-fips
Re: Help needed to fix vulnerabilities
Posted: Tue Jul 09, 2024 9:55 am
by DoubleDoubleA
Hi @it_support,
Thanks for the information.
CentOS 7 is a popular distro. It is also now out of support, so while you may be able to resolve these issues, it is likely to be a security challenge going forward. It may be useful for you to move to CentOS Stream 9 or another distro. Here is a doc on best practices for moving distros/versions
https://nagios.force.com/support/s/arti ... -Nagios-XI .
As for the vulnerabilities, definitely your OpenSSL and Apache versions are vulnerable to the listed issues. You would need to upgrade those packages to a later version, which may or may not be simple or possible on your distro.
In any case, your security challenge is a systems administration issue on the server where your Nagios runs, and not strictly a Nagios issue. I would encourage you to use your preferred search engine to investigate the specific issues and compare versions to what you have, and then investigate whether you can upgrade package versions sufficiently on CentOS 7 or whether it may be advisable to move to a new distro.
Aaron