===================================================================== CERT-Renater Note d'Information No. 2021/VULN593 _____________________________________________________________________ DATE : 05/11/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Nagios XI versions prior to 5.8.7. ===================================================================== https://www.nagios.com/downloads/nagios-xi/change-log/ _____________________________________________________________________ 5.8.7 - 11/02/2021 Updated install to support Debian 11 systems -JO Updated System Settings for "allow html" to separate options for status and comments under Other Settings and added a warning -JO Updated migrate.php script to ensure that the nagios_bundler.py is not a security issue by copying it after tarball extraction -JO Updated NRDP to version 2.0.5 to fix issue with receiving spooled passive checks [TPS#15621] -JO Updated NSCA to version 2.10.1 to fix security issues -SAW Fixed issue with "Finish as Template" button not adding services do to new wizards using json encode/decode rather than serialize [TPS#15635] -JO Fixed capactiyplanning.py giving out a lot of ValueErrors when pending checks are just starting to run -JO Fixed XSS vulnerability in Nagios Core ui by patching Core for XI systems with escape_string() -JO Fixed XSS vulnerability in SSH Terminal page url parameter and the Account Information page api_key parameter -JO Fixed XSS vulnerability in Audit Log page Send to NLS form -JO Fixed security permissions issue with apache user and temp directory used by Highcharts -JO Fixed security permissions issue with nocscreen component sounds directory -JO Fixed manage_services.shs script vulnerability with systemctl not using the --no-pager option -JO Fixed issue where cloning user would not clone the user's meta data [TPS#15617] -JO Fixed bulk modifications issue when trying to remove Free Variables [TPS#15653] -JO Fixed sysstat data on systemd systems when XML entities are in the output text causing the Admin > System Status to show "No Data" [TPS#15657] -JO Fixed issue with cfgmaker with contact/location newlines causing it not to work [TPS#15666] -JO,SS Fixed various security issues: (thanks chenhuiliang@qianxin.com and chenruiqi@qianxin.com from Codesafe Team of Legendsec at Qi'anxin Group) Fixed various XSS vulnerabilities in the auditlog.php admin page -JO Fixed SQL injection possibility in mib_name parameter when uploading new MIBs in Manage MIBs page -JO Fixed XSS vulnerability in the Admin > system performance settings page -JO Fixed XSS vulnerabilities in the Admin > system settings page -JO Fixed XSS vulnerability in ajax.php script in CCM 3.1.5 -JO Fixed security vulnerability in nagiosna component in version 1.4.5 -JO Fixed security vulnerability in MTR component in version 1.0.4 -JO Fixed security issue in NRDS with version 1.2.8 -JO Core Config Manager (CCM) - 3.1.5 Fixed Down stalking option not working for Host Templates in Alert Settings tab [TPS#15625] -JO Fixed XSS vulnerability in ajax.php script -JO Fixed issue with case insensitivity in regards to host/service names when importing configs (or running wizard) [TPS#15620] -JO ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================