Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Debian: DLA-1615-1 critical: nagios3 XSS and DoS Security Update

debian lts
Calendar Grey December 24, 2018
Dist Debian Esm H88
Secure your Nagios3 installation on Debian 8 by addressing XSS and DoS vulnerabilities through updates, patches, and access restrictions for enhanced security
Several issues were corrected in nagios3, a monitoring and management system for hosts, services and networks

Summary

Maximilian Boehner of usd AG found a cross-site scripting (XSS)
vulnerability in Nagios Core. This vulnerability allows attackers to place malicious JavaScript code into the web frontend through
manipulation of plugin output. In order to do this the attacker
needs to be able to manipulate the output returned by nagios
checks, e.g. by replacing a plugin on one of the monitored
endpoints. Execution of the payload then requires that an
authenticated user creates an alert summary report which contains
the corresponding output.

CVE-2016-9566

It was discovered that local users with access to an account in
the nagios group are able to gain root privileges via a symlink
attack on the debug log file.

CVE-2014-1878

An issue was corrected that allowed remote attackers to cause a
stack-based buffer overflow and subsequently a denial of service
(segmentation fault) via a long message to cmd.cgi.

CVE-2013-7205 | CVE-2013-7108

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: nagios3
Version: 3.5.1.dfsg-2+deb8u1
CVE ID: CVE-2013-7108 CVE-2013-7205 CVE-2014-1878
Debian Bug: 771466 823721 917138

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.