icinga2: CVE-2021-32739 CVE-2021-32743

Debian Bug report logs - #991494
icinga2: CVE-2021-32739 CVE-2021-32743

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: icinga2: CVE-2021-32739 CVE-2021-32743

Date: Sun, 25 Jul 2021 21:08:17 +0200

Source: icinga2
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for icinga2.

CVE-2021-32739[0]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. From version 2.4.0 through version 2.12.4, a
| vulnerability exists that may allow privilege escalation for
| authenticated API users. With a read-ony user's credentials, an
| attacker can view most attributes of all config objects including
| `ticket_salt` of `ApiListener`. This salt is enough to compute a
| ticket for every possible common name (CN). A ticket, the master
| node's certificate, and a self-signed certificate are enough to
| successfully request the desired certificate from Icinga. That
| certificate may in turn be used to steal an endpoint or API user's
| identity. Versions 2.12.5 and 2.11.10 both contain a fix the
| vulnerability. As a workaround, one may either specify queryable types
| explicitly or filter out ApiListener objects.

https://github.com/Icinga/icinga2/security/advisories/GHSA-98wp-jc6q-x5q5


CVE-2021-32743[1]:
| Icinga is a monitoring system which checks the availability of network
| resources, notifies users of outages, and generates performance data
| for reporting. In versions prior to 2.11.10 and from version 2.12.0
| through version 2.12.4, some of the Icinga 2 features that require
| credentials for external services expose those credentials through the
| API to authenticated API users with read permissions for the
| corresponding object types. IdoMysqlConnection and IdoPgsqlConnection
| (every released version) exposes the password of the user used to
| connect to the database. IcingaDB (added in 2.12.0) exposes the
| password used to connect to the Redis server. ElasticsearchWriter
| (added in 2.8.0)exposes the password used to connect to the
| Elasticsearch server. An attacker who obtains these credentials can
| impersonate Icinga to these services and add, modify and delete
| information there. If credentials with more permissions are in use,
| this increases the impact accordingly. Starting with the 2.11.10 and
| 2.12.5 releases, these passwords are no longer exposed via the API. As
| a workaround, API user permissions can be restricted to not allow
| querying of any affected objects, either by explicitly listing only
| the required object types for object query permissions, or by applying
| a filter rule.

https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32739
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32739
[1] https://security-tracker.debian.org/tracker/CVE-2021-32743
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32743

Please adjust the affected versions in the BTS as needed.

Message #14 received at 991494-done@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

To: Moritz Mühlenhoff <jmm@inutil.org>, 991494-done@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#991494: icinga2: CVE-2021-32739 CVE-2021-32743

Date: Mon, 26 Jul 2021 05:35:50 +0200

fixed 991494 icinga2/2.12.5-1~exp1
tags 991494 upstream
thanks

These issues are fixed in 2.12.5 which is available in experimental.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Send a report that this bug log contains spam.