Source: icinga2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for icinga2. CVE-2021-32739[0]: | Icinga is a monitoring system which checks the availability of network | resources, notifies users of outages, and generates performance data | for reporting. From version 2.4.0 through version 2.12.4, a | vulnerability exists that may allow privilege escalation for | authenticated API users. With a read-ony user's credentials, an | attacker can view most attributes of all config objects including | `ticket_salt` of `ApiListener`. This salt is enough to compute a | ticket for every possible common name (CN). A ticket, the master | node's certificate, and a self-signed certificate are enough to | successfully request the desired certificate from Icinga. That | certificate may in turn be used to steal an endpoint or API user's | identity. Versions 2.12.5 and 2.11.10 both contain a fix the | vulnerability. As a workaround, one may either specify queryable types | explicitly or filter out ApiListener objects. https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5 CVE-2021-32743[1]: | Icinga is a monitoring system which checks the availability of network | resources, notifies users of outages, and generates performance data | for reporting. In versions prior to 2.11.10 and from version 2.12.0 | through version 2.12.4, some of the Icinga 2 features that require | credentials for external services expose those credentials through the | API to authenticated API users with read permissions for the | corresponding object types. IdoMysqlConnection and IdoPgsqlConnection | (every released version) exposes the password of the user used to | connect to the database. IcingaDB (added in 2.12.0) exposes the | password used to connect to the Redis server. ElasticsearchWriter | (added in 2.8.0)exposes the password used to connect to the | Elasticsearch server. An attacker who obtains these credentials can | impersonate Icinga to these services and add, modify and delete | information there. If credentials with more permissions are in use, | this increases the impact accordingly. Starting with the 2.11.10 and | 2.12.5 releases, these passwords are no longer exposed via the API. As | a workaround, API user permissions can be restricted to not allow | querying of any affected objects, either by explicitly listing only | the required object types for object query permissions, or by applying | a filter rule. https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32739 [1] https://security-tracker.debian.org/tracker/CVE-2021-32743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32743 Please adjust the affected versions in the BTS as needed.