Nagios Support Forum

Good morning,

Does the nagios xi product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team.

Thank you,
Joseph S.

Would like to know also

I have the same question

Hi,

I get the same question from the customers. Would help to know if product are impacted and if there's a patch to apply.

Thanks!

Same here, when I run a detection script, it states that package liblog-log4perl-perl 1.50-1 should be checked.

cant say i'm familiar with the CVE to know 100% but from what i can tell then it's a simple case of updating your log4j package to >=2.15.0.

my nagios server (pre-built hyperV VM image iirc) doesnt have log4j installed via yum so based on that, i'm in the clear.
would definately be nice to get the devs input to be 100%.

Hi Joseph,

Does the nagios xi product natively integrated with Log4 as there is an active exploit in the wild being used. I could not find any evidence that we had seen integration to this product but our security team would like confirmation from the Nagios team

Thanks for reaching out on this issue. It's a java application and on a clean, default installation of Nagios xi, we would not have any java based packages installed in Nagios xi.

Here is my reply from an earlier thread with more information that references all of our products.

Nagios Enterprises takes data security and information integrity very seriously. Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228.

We have updated our company blog with important information on this issue.

https://www.nagios.com/news/2021/12/upd ... erability/

While Nagios Core, Nagiosxi, and Fusion use or depend upon Apache products they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don't believe the product is vulnerable at this time.

Due to the complexity and flexibility of our products and their ability to integrate into a wide variety of environments care should be taken to limit the exposure of systems to trusted entities.

As always we also recommend that you keep your system up to date and follow the guidance of your operating system vendor and integrated application providers as is appropriate for your environment.

If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check our security page for updates.

https://www.nagios.com/products/security/

Regards,
Benjamin