As always, our cybersecurity, development, and testing teams here at Nagios are constantly investigating every potential and credible threat to our software. We are aware of and closely monitoring the current Apache Log4j exploit.
Currently, we are evaluating our use of Apache products and our exposure to the vulnerability described in CVE-2021-44228. While Nagios Core, Nagios XI, and Fusion use or depend upon Apache products, they do not appear to be using vulnerable versions of the products as identified in the MITRE notification. While Nagios Log Server does use Log4j components and includes plugins for receiving Log4j data, we don’t believe the product is vulnerable at this time.
At this time, we have not discovered any impact on Nagios XI and Nagios Network Analyzer. We are verifying whether there is any impact on Nagios Log Server. All our products use a version of Log4j that is not included in the known vulnerability, but we are nevertheless conducting rigorous tests.
If we discover any vulnerabilities in Nagios software, we will immediately respond and release a fix ASAP. Please check back here for updates. You can follow us and get real-time updates on Twitter, Facebook, or LinkedIn, if there is any new information to share.
In the meantime, we want to remind you that it has always been and continues to be important to not expose your instances of any of our products to the world wide web. Maintaining proper network security protocols will drastically reduce your vulnerability to security exploits. For more information on how to approach network security, see our article, 6 Cybersecurity Questions to Answer Before You Open Ports to the Public.