==================================================================== CERT-Renater Note d'Information No. 2020/VULN412 _____________________________________________________________________ DATE : 17/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nagios XI versions prior to 5.7.2. ===================================================================== https://www.nagios.com/downloads/nagios-xi/change-log/ _____________________________________________________________________ 5.7.2 - 07/14/2020 Updated NDO to 3.0.2 to fix issues with slow startup with large systems and truncating tables -SAW,JO Fixed NDO issue where renaming hosts and services with uppercase/lowercase letters caused inconsistencies [TPS#15205] -SAW,JO Fixed restricting access to auto deploy output JSON files -JO Fixed brevity settings for objects/hoststatus and objects/servicestatus when using outputtype=xml -JO Fixed issue with NDO connection in Nagios XI using latin1 as default charset instead of utf8 -JO Fixed error updating audit log when removing a user [TPS#15172] -JO Fixed warning/critical toggle button icon placement on Highcharts graphs with single dataset [TPS#15175] -JO Fixed XML brevity causing isseus with Mass Acknowledge and other systems that rely on XML data [TPS#15179] -JO Fixed displaying inactive objects that have been disabled in nagios_objects table -JO Fixed security vulernability with audio import directory allowing php files to be uploaded/ran from that directory (thanks @TactiFail) -JO Fixed XSS security vulnerability in background color in Dashboards (thanks @TactiFail) -JO Fixed XSS security vulnerability in Config Management > Edit Config page in BPI component (thanks @TactiFail) -JO Fixed XSS security vulnerability in Graph Explorer link url option (thanks ERNW) -JO Fixed RCE vulnerability with ajaxhelper.php when running certain commands through cmdsubsys (thanks ERNW) -JO Fixed issue where the "Check for Updates" button on Wizards/Components was not checking latest XI 5.7 versions -JO Fixed Top Alert Producers report not showing on CentOS 8 / MySQL 5.7+ [TPS#15202] -JO Fixed LDAP integration missing function causing a PHP error when trying to import users from LDAP -JO Fixed backend cache causing problems when empty data was returned -JO Fixed mod_gearman issue with NDO3 causing it to not use the mod_gearman module -SAW Fixed ansible version issue for Auto Deployment component on Ubuntu 16 and Debian 9 systems [TPS#15200] -JO Fixed issue with PHP 7 and Scheduling Queue page not showing up properly -JO Fixed python setup for Ubuntu 20 systems which have both Python 2 and Python 3 installed -JO Fixed NagVis installation issue with Ubuntu 20 and CentOS/RHEL 8 due to using Python 3 -JO Fixed Manage Deployed Agents page where OS version would not always update or add when adding new agents [TPS#15192] -JO ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================