CVE-2021-37698 – Missing TLS service certificate validation in GelfWriter, ElasticsearchWriter, InfluxdbWriter and Influxdb2Writer
https://notcve.org/view.php?id=CVE-2021-37698
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading. • https://github.com/Icinga/icinga2/releases/tag/v2.11.11 https://github.com/Icinga/icinga2/releases/tag/v2.12.6 https://github.com/Icinga/icinga2/releases/tag/v2.13.1 https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-295: Improper Certificate Validation •
CVE-2021-32743 – Passwords used to access external services inadvertently exposed through API
https://notcve.org/view.php?id=CVE-2021-32743
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. • https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVE-2021-32739 – Results of queries for ApiListener objects include the ticket salt which allows in turn to steal (more privileged) identities
https://notcve.org/view.php?id=CVE-2021-32739
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. • https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 https://icinga.com/blog/2021/07/02/releasing-icinga-2-12-5-2-11-10 https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html • CWE-267: Privilege Defined With Unsafe Actions CWE-269: Improper Privilege Management •
CVE-2020-29663
https://notcve.org/view.php?id=CVE-2020-29663
Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3. Icinga versiones 2 v2.8.0 hasta v2.11.7 y versión v2.12.2, presenta un problema en donde los certificados revocados que deben renovarse serán renovados automáticamente, ignorando la CRL. Este problema es corregido en Icinga versiones 2 v2.11.8 y v2.12.3 • https://github.com/Icinga/icinga2/compare/v2.12.1...v2.12.2 https://github.com/Icinga/icinga2/security/advisories/GHSA-pcmr-2p2f-r7j6 • CWE-295: Improper Certificate Validation •
CVE-2020-14004
https://notcve.org/view.php?id=CVE-2020-14004
An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user. Se detectó un problema en Icinga2 versiones anteriores a v2.12.0-rc1. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00014.html http://www.openwall.com/lists/oss-security/2020/06/12/1 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-14004 https://github.com/Icinga/icinga2/compare/v2.12.0-rc1...master https://github.com/Icinga/icinga2/pull/8045/commits/2f0f2e8c355b75fa4407d23f85feea037d2bc4b6 https://github.com/Icinga/icinga2/releases • CWE-59: Improper Link Resolution Before File Access ('Link Following') •