[Pkg-nagios-devel] Bug#991494: icinga2: CVE-2021-32739 CVE-2021-32743
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 25 20:08:17 BST 2021
Source: icinga2
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for icinga2.
CVE-2021-32739[0]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. From version 2.4.0 through version 2.12.4, a
| vulnerability exists that may allow privilege escalation for
| authenticated API users. With a read-ony user's credentials, an
| attacker can view most attributes of all config objects including
| `ticket_salt` of `ApiListener`. This salt is enough to compute a
| ticket for every possible common name (CN). A ticket, the master
| node's certificate, and a self-signed certificate are enough to
| successfully request the desired certificate from Icinga. That
| certificate may in turn be used to steal an endpoint or API user's
| identity. Versions 2.12.5 and 2.11.10 both contain a fix the
| vulnerability. As a workaround, one may either specify queryable types
| explicitly or filter out ApiListener objects.
https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5
CVE-2021-32743[1]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. In versions prior to 2.11.10 and from version 2.12.0
| through version 2.12.4, some of the Icinga 2 features that require
| credentials for external services expose those credentials through the
| API to authenticated API users with read permissions for the
| corresponding object types. IdoMysqlConnection and IdoPgsqlConnection
| (every released version) exposes the password of the user used to
| connect to the database. IcingaDB (added in 2.12.0) exposes the
| password used to connect to the Redis server. ElasticsearchWriter
| (added in 2.8.0)exposes the password used to connect to the
| Elasticsearch server. An attacker who obtains these credentials can
| impersonate Icinga to these services and add, modify and delete
| information there. If credentials with more permissions are in use,
| this increases the impact accordingly. Starting with the 2.11.10 and
| 2.12.5 releases, these passwords are no longer exposed via the API. As
| a workaround, API user permissions can be restricted to not allow
| querying of any affected objects, either by explicitly listing only
| the required object types for object query permissions, or by applying
| a filter rule.
https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32739
[1] https://security-tracker.debian.org/tracker/CVE-2021-32743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32743
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-nagios-devel
mailing list