• Nagios Fusion Change Log

    The following are the recent changes to Nagios Fusion

4.1.9 - 02/09/2021

  • Updated the supported OS systems for RHEL/CentOS 8, CentOS Stream, Ubuntu 20.04 LTS, and Debian 10 -JO
  • Fixed issue where TLS/SSL wasn't showing in LDAP/AD Integration page for servers with encryption selected [TPS#14734] -JO
  • Fixed issue where Service Status dashlet would not show data unless users had access to host data [TPS#15420] -SAW
  • The following vulnerabilities were mitigated: (Thanks to Shahar Zini and Samir Ghanem from Skylight Cyber Security for reporting them)
  • Fixed XSS in several dashlets when attacker has control over fused server (CVE-2020-28903) - SAW
  • Fixed authenticated remote code execution (from the context of a low-privilege user) (CVE-2020-28905) - SAW
  • Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28902) - SAW
  • Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28901) - SAW
  • Fixed privilege escalation from nagios to root via upgrade_to_latest.sh (CVE-2020-28900) - SAW
  • Fixed privilege escalation from apache to root via upgrade_to_latest.sh and modification of proxy config (CVE-2020-28907) - SAW
  • Fixed privilege escalation from nagios to root via modification of fusion-sys.cfg (CVE-2020-28906) - SAW
  • Fixed privilege escalation from nagios to root via modification of scripts sudoers scripts (CVE-2020-28909) - SAW
  • Fixed privilege escalation from apache to nagios via command injection in cmd_subsys.php (CVE-2020-28908) - SAW
  • Fixed information disclosure - low-privilege user can discover passwords used to authenticate to fused servers (CVE-2020-28911) - SAW

4.1.8 - 12/03/2019

  • Added option to stop polling when users are not logged in to stop large systems polling unnecessarily causing slowdowns -JO
  • Added missing fullscreen button to most pages like in other products [TPS#12316] -SAW
  • Updated SourceGuardian loaders to now support PHP versions up to 7.3 -JO
  • Updated jQuery to a patched version 1.12.4 to fix CVE-2019-11358 -JO
  • Fixed wording for encryption STARTTLS in LDAP/AD Integration -JO
  • Fixed bug causing ?brevity=1 to be appended (and ignored) when building polling URLs -BH,SW
  • Fixed issue with LDAP/AD certificate management when binary data is in the certificate [TPS#14690] -JO
  • Fixed issue with mapped user list not displaying when setting the current users mapped users [TPS#14561] -JO

4.1.7 - 02/14/2019

  • Fixed bug preventing # in usernames and passwords of linked Nagios XI servers [TPS#13812] -SW
  • Fixed forgot password link always giving an error about AD/LDAP when entering even a local user [TPS#13902] -SW
  • Fixed issue with newer Debian 9 os-release not passing as a valid OS for install -JO
  • Fixed problems with backup/restore script errors for apache cron jobs [TPS#13885] -JO
  • Fixed admins not able to remove synced deploayed dashboards from themselves [TPS#14016] -JO

4.1.6 - 11/20/2018

  • Major performance increases with large number of mapped users -BH
  • Fixed new user created email to show actual username [TPS#13680] -JO
  • Fixed link color to be easier to read in dashlets [TPS#12596] -SW

4.1.5 - 08/07/2018

  • Change Custom URL dashlet to not be a core dashlet allowing it to be removed [TPS#13412] -SW
  • Fixed BPI dashlet showing broken data when only one BPI group exists on the XI server [TPS#13380] -JO
  • Fixed adding new users with AD/LDAP from the API [TPS#13467] -JO
  • Fixed allowing local auth login for AD/LDAP users when local auth login checkbox has not been checked [TPS#13469] -JO
  • Fixed performance graph dashlet not working with XI 5.5+ systems [TPS#13457] -JO
  • Fixed XSS in fusionwindow parameter [TPS#13368] -JO

4.1.4 - 06/14/2018

  • Update initial install mysql settings [TPS#13160] -JO
  • Fixed issue where manage views listing was always limited to 10 views [TPS#13156] -JO
  • Fixed various XSS vulnerabilities [TPS#13332-13335] -JO

4.1.3 - 03/15/2018

  • Fixed issue where AD/LDAP component displayed a blank screen when attempting to login with incorrect credentials [TPS #13023] -CN
  • Fixed some XSS vulnerabilities [TPS #13001] -CN,BH
  • Fixed issue where fusing an NLS server would show a blank Tactical Overview dashlet on the home page [TPS #13066] -CN
  • Fixed issue where the Host&Service Health dashlet would display incorrect data if a server returned an empty data set. [TPS #13081,13100] -CN,BH
  • Fixed indefinite log rotate (*.gz.1.gz.1.gz.1, etc.) [TPS#13061] -BH,LM

4.1.2 - 02/20/2018

  • Fixed some wording in updates section -JO
  • Fixed some miscellaneous upgrade issues in the 4.1.0 -> 4.1.1 path -BH
  • Added message to NLS dashlets to indicate when there is no dashlet data to display -CN
  • Added ability to scroll in the NLS Index Statistics dashlet -CN

4.1.1 - 02/16/2018

  • Added the ability to manage authentication types in the Add/Edit User pages -CN
  • Added the ability to add AD/LDAP users through the API -CN
  • Now show the authentication type of any given user on the Manage Users page - BH

4.1.0 - 02/15/2018

  • Added license activation and added activation from inside the license pages -JO
  • Added check for upgrades page/dashlet like other products -JO
  • Added upgrade from the GUI like other products -JO
  • Added proxy configuration page for updates, activation, and maintenance checks -JO
  • Added AD/LDAP authentication component [TPS #12510] - CN
  • Added several dashlets for integration with Nagios Log Server [TPS #12805] -CN
  • Added API & various endpoints [TPS #12856] -CN
  • Added way to monitor and clear polling locks from the admin menu [TPS #12675] -CN
  • Added fix for large mysql ibdata files -BH
  • Updated Views rotation timer to not use previous 'internal clock'. [TPS#12589] -SAW
  • Updated fusion to not rely on a 'nagiosadmin' user [TPS#12606] -SAW
  • Updated custom home page to allow external sites [TPS#12553] -SAW
  • Fixed administrators being able to be excluded (can no longer be excluded from seeing server data) [TPS#12569] -SAW
  • Fixed nagiosadmin so it cannot be unset as admin. Admins also cannot unset themselves in general [TPS#12606] -SAW
  • Fixed polling lock expiry time not being checked properly -BH
  • Fixed NSP error on login and javascript errors in IE -JO

4.0.1 - 10/05/2017

  • Update debug log to output proper global_auth_interval -JO
  • Added sanity testing script -BH
  • Added sanity tests to upload component/dashlets to detect errors and prevent installation [TPS#12243] -BH
  • Fixed xss vulnerabilties in users/servers (+ some) [TPS#12246,12247] -BH
  • Fixed exclusions/server mappings working on newly created users [TPS#12395] -BH
  • Fixed trial extension [TPS#12254] -BH
  • Fixed locale being unable to reset to en_US after selecting another [TPS#12209] -BH
  • Changed 'Force password change' default on edit user [TPS#12396] -BH
  • Fixed home/screen overwrite issue with deployed dashboards [TPS#12212] -BH
  • Fixed upgrade issues with sourceguardian loader -BH
  • Add ability to use relative paths in sys generated URLs [TPS#12481] -BH

4.0.0 - 07/17/2017

  • Initial re-write release -BH
  • Completely rewrote Polling System, with configurable options in Admin/Settings (or per server) -BH
  • Rewrote Network Operations Center component -BH
  • Recreated existing dashlets -BH
  • Built similar component/dashlet systems as in XI -BH
  • Changed Manage Components / Manage Dashlets to be similar to XI -BH
  • Added Views functionality like in XI -BH
  • Added user mapping (to allow for true multitenancies. User can only see what the mapped user can see) -BH
  • Added poll callbacks (to hook functionality in to polling subsystem) -BH
  • Added averages/deltas to numeric polled data (as a callback) -BH
  • Added ability to track timezone per server, so that display times are accurate -BH,JO
  • Added clickthru links to NOC dashlets, Alert dashlets, and Tactical dashlets -BH
  • Added Custom Logo component -BH
  • Added Custom Login component -BH
  • Added Home Page Modification component -BH
  • Added Deploy Dashboards component (with a 'Deployed/Synced Dashboards' page as well) -BH
  • Added 'Test Fusion Settings' to Servers page -BH
  • Added better auto-login functionality -BH,JO
  • Added CSRF prevention when adding an XI server -JO
  • Added better logging system and Admin/Log page -BH
  • Added better Dashlet system (all dashlets have on-the-fly changeable settings, etc.) -BH
  • Added static landing page -BH
  • Fixed license system -JO