OP5 Monitor information about recent vulnerabilities CVE-2016-9566 and CVE-2016-9565

December 20, 2016 Fredrik Mikker

It has come to our attention that recent CVEs has been affecting Nagios and by this post we would like to address if these issues apply to OP5 Monitor and Naemon.

 

CVE-2016-9565, Curl Command Injection / Remote Code Execution:

Does not affect OP5 Monitor since the affected parts do not exist in OP5 Monitor.

 

CVE-2016-9566, Root Privilege Escalation:

Does not affect OP5 Monitor version 7.0.6 or later since OP5 Monitor does not start the Naemon service as root, thus this privilege escalation can not be used.

User running versions prior to OP5 Monitor 7.0.6 are recommended to upgrade to mitigate CVE-2016-9566.

Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9565
https://legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9566
https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html