xi CVEs

J.A.K · Post by **J.A.K** » Wed Jan 19, 2022 8:36 am

We are getting flagged by our security team for 3 new CVEs added by CISA targeting Nagios xi

https://www.cisa.gov/uscert/ncas/curren ... es-catalog

CVE-2021-25296 Nagios xi OS Command Injection Vulnerability
CVE-2021-25297 Nagios xi OS Command Injection Vulnerability
CVE-2021-25298 Nagios xi OS Command Injection Vulnerability

I know these normally get fixed by the minor version releases, but since there is no set schedule I know of for those releases I wanted to ask a few questions I can take back to my risk management.

1. Is Nagios aware of these CVEs to correct them in the next update?
2. Will that update be out by the February 1st CISA action due date?

ssax · Post by **ssax** » Wed Jan 19, 2022 7:27 pm

1. Yes, please see here next to each for the remediation:

https://www.nagios.com/products/security/

What xi version is your system running? You can find it on the bottom left hand side after logging in.

What OS version is the xi server running?

Code: Select all

uname -a
cat /etc/*release

2. They should be fixed if you upgrade to the latest version of xi and upgrade the wizards/components to the latest in Admin > Manage Components and Admin > Manage Wizards. I'll know more based on your responses above.

J.A.K · Post by **J.A.K** » Wed Jan 19, 2022 11:15 pm

Nagios 5.8.7 and RHEL 8.4. And that's perfect I had no idea that page or in fact the wizard update are existed. Looking at versions it looks like we're already covered. Thank you!

ssax · Post by **ssax** » Thu Jan 20, 2022 5:20 pm

You should not be vulnerable based on that.

Let us know when we're okay to close this ticket.

Thank you!

J.A.K · Post by **J.A.K** » Thu Jan 20, 2022 7:31 pm

You're good to lock this thread. Thank you!

Nagios Support Forum

xi CVEs

xi CVEs

Re: xi CVEs

Re: xi CVEs

Re: xi CVEs

Re: xi CVEs