Debian Bug report logs -
#991494
icinga2: CVE-2021-32739 CVE-2021-32743
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Sun, 25 Jul 2021 19:09:06 UTC
Severity: important
Tags: security, upstream
Found in version icinga2/2.12.3-1
Fixed in version icinga2/2.12.5-1~exp1
Done: Sebastiaan Couwenberg <sebastic@xs4all.nl>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
:
Bug#991494
; Package src:icinga2
.
(Sun, 25 Jul 2021 19:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
.
(Sun, 25 Jul 2021 19:09:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: icinga2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for icinga2.
CVE-2021-32739[0]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. From version 2.4.0 through version 2.12.4, a
| vulnerability exists that may allow privilege escalation for
| authenticated API users. With a read-ony user's credentials, an
| attacker can view most attributes of all config objects including
| `ticket_salt` of `ApiListener`. This salt is enough to compute a
| ticket for every possible common name (CN). A ticket, the master
| node's certificate, and a self-signed certificate are enough to
| successfully request the desired certificate from Icinga. That
| certificate may in turn be used to steal an endpoint or API user's
| identity. Versions 2.12.5 and 2.11.10 both contain a fix the
| vulnerability. As a workaround, one may either specify queryable types
| explicitly or filter out ApiListener objects.
https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5
CVE-2021-32743[1]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. In versions prior to 2.11.10 and from version 2.12.0
| through version 2.12.4, some of the Icinga 2 features that require
| credentials for external services expose those credentials through the
| API to authenticated API users with read permissions for the
| corresponding object types. IdoMysqlConnection and IdoPgsqlConnection
| (every released version) exposes the password of the user used to
| connect to the database. IcingaDB (added in 2.12.0) exposes the
| password used to connect to the Redis server. ElasticsearchWriter
| (added in 2.8.0)exposes the password used to connect to the
| Elasticsearch server. An attacker who obtains these credentials can
| impersonate Icinga to these services and add, modify and delete
| information there. If credentials with more permissions are in use,
| this increases the impact accordingly. Starting with the 2.11.10 and
| 2.12.5 releases, these passwords are no longer exposed via the API. As
| a workaround, API user permissions can be restricted to not allow
| querying of any affected objects, either by explicitly listing only
| the required object types for object query permissions, or by applying
| a filter rule.
https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-32739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32739
[1] https://security-tracker.debian.org/tracker/CVE-2021-32743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32743
Please adjust the affected versions in the BTS as needed.
Marked as fixed in versions icinga2/2.12.5-1~exp1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Mon, 26 Jul 2021 03:39:06 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Mon, 26 Jul 2021 03:39:07 GMT) (full text, mbox, link).
Reply sent
to Sebastiaan Couwenberg <sebastic@xs4all.nl>
:
You have taken responsibility.
(Mon, 26 Jul 2021 03:45:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Mon, 26 Jul 2021 03:45:08 GMT) (full text, mbox, link).
Message #14 received at 991494-done@bugs.debian.org (full text, mbox, reply):
fixed 991494 icinga2/2.12.5-1~exp1
tags 991494 upstream
thanks
These issues are fixed in 2.12.5 which is available in experimental.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Marked as found in versions icinga2/2.12.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 26 Jul 2021 04:57:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jul 26 16:17:14 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.