==================================================================== CERT-Renater Note d'Information No. 2018/VULN387 _____________________________________________________________________ DATE : 16/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nagios XI versions prior to 5.5.7. ===================================================================== https://www.nagios.com/downloads/nagios-xi/change-log/?gclid=CjwKCAiAiarfBRASEiwAw1tYv5k4XAv-rJKVWv3XzeZ2UKouuF0J040fnWiVEJJKl9OQPWLB08wt_hoCDwIQAvD_BwE _____________________________________________________________________ Nagios XI Change Log 5.5.7 - 11/13/2018 Fixed privilege escalation security vulnerability in MRTG graphing component by running as nagios user/group (thanks Daniel Sayk of Telekom Security) [TPS#13778] -JO Fixed security vulnerability with API key regeneration function allowing non-admins to regenerate other user's API keys (thanks Chris Lyne of Tenable) [TPS#13780] -JO Fixed security vulnerability in BPI's api_tool.php where the script could be accessed through the web server (thanks Chris Lyne of Tenable) [TPS#13780] -JO Fixed security vulnerability in command subsystem with some commands not being escaped properly (thanks Chris Lyne of Tenable) [TPS#13780] -JO Fixed security vulnerability in Auto Discovery component where some commands not being escaped properly (thanks Chris Lyne of Tenable) [TPS#13780] -JO Fixed XSS security vulnerabilities in the interface (thanks Chris Lyne of Tenable) [TPS#13780] -JO Fixed old lock file location in snapshots by restoring lock file setting on snapshot restore [TPS#13795] -JO Fixed Notes and Actions URL button links URL encoding in Host/Service Status pages [TPS#13802] -JO Fixed Core issue (#572) causing service recovery emails to be sent when a initial notification wasn't sent. [TPS#13805] -SW Fixed Core issue (#575) where soft recovery states did not apply for services -JO Fixed issue in API where hostgroup/servicegroup scheduled downtime would not schedule service downtimes [TPS#13818] -JO Fixed BPI service group sync to not add empty service groups that cause an error on the screen [TPS#13777] -JO Fixed BPI issue with the processing of subgroups applied to multiple groups failing to set proper status [TPS#13816] -JO ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================