icingaweb2: CVE-2021-32746 CVE-2021-32747

Debian Bug report logs - #991116
icingaweb2: CVE-2021-32746 CVE-2021-32747

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icingaweb2: CVE-2021-32746 CVE-2021-32747

Date: Wed, 14 Jul 2021 21:00:52 +0200

Source: icingaweb2
Version: 2.8.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.6.2-3+deb10u1
Control: found -1 2.6.2-3

Hi,

The following vulnerabilities were published for icingaweb2.

CVE-2021-32746[0]:
| Icinga Web 2 is an open source monitoring web interface, framework and
| command-line interface. Between versions 2.3.0 and 2.8.2, the `doc`
| module of Icinga Web 2 allows to view documentation directly in the
| UI. It must be enabled manually by an administrator and users need
| explicit access permission to use it. Then, by visiting a certain
| route, it is possible to gain access to arbitrary files readable by
| the web-server user. The issue has been fixed in the 2.9.0, 2.8.3, and
| 2.7.5 releases. As a workaround, an administrator may disable the
| `doc` module or revoke permission to use it from all users.


CVE-2021-32747[1]:
| Icinga Web 2 is an open source monitoring web interface, framework,
| and command-line interface. A vulnerability in which custom variables
| are exposed to unauthorized users exists between versions 2.0.0 and
| 2.8.2. Custom variables are user-defined keys and values on
| configuration objects in Icinga 2. These are commonly used to
| reference secrets in other configurations such as check commands to be
| able to authenticate with a service being checked. Icinga Web 2
| displays these custom variables to logged in users with access to said
| hosts or services. In order to protect the secrets from being visible
| to anyone, it's possible to setup protection rules and blacklists in a
| user's role. Protection rules result in `***` being shown instead of
| the original value, the key will remain. Backlists will hide a custom
| variable entirely from the user. Besides using the UI, custom
| variables can also be accessed differently by using an undocumented
| URL parameter. By adding a parameter to the affected routes, Icinga
| Web 2 will show these columns additionally in the respective list.
| This parameter is also respected when exporting to JSON or CSV.
| Protection rules and blacklists however have no effect in this case.
| Custom variables are shown as-is in the result. The issue has been
| fixed in the 2.9.0, 2.8.3, and 2.7.5 releases. As a workaround, one
| may set up a restriction to hide hosts and services with the custom
| variable in question.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-32746
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32746
    https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
[1] https://security-tracker.debian.org/tracker/CVE-2021-32747
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32747
    https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx

Regards,
Salvatore

Message #14 received at 991116@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

To: Salvatore Bonaccorso <carnil@debian.org>, 991116@bugs.debian.org

Subject: Re: [Pkg-nagios-devel] Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Date: Wed, 14 Jul 2021 21:18:24 +0200

Control: tags -1 pending

On 7/14/21 9:00 PM, Salvatore Bonaccorso wrote:
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

2.9.0 would ideally have been uploaded (to experimental) which contains
the fixes for these issues, but it requires a more recent version of
icingaweb2-module-ipl (#991117). Those module packages are maintained
outside the Nagios team which complicates issues.

2.8.3 will be uploaded instead.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Message #21 received at 991116@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 991116@bugs.debian.org

Subject: Re: Bug#991116: [Pkg-nagios-devel] Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Date: Wed, 14 Jul 2021 21:50:42 +0200

Hi,

On Wed, Jul 14, 2021 at 09:18:24PM +0200, Sebastiaan Couwenberg wrote:
> Control: tags -1 pending
> 
> On 7/14/21 9:00 PM, Salvatore Bonaccorso wrote:
> > If you fix the vulnerabilities please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> 2.9.0 would ideally have been uploaded (to experimental) which contains
> the fixes for these issues, but it requires a more recent version of
> icingaweb2-module-ipl (#991117). Those module packages are maintained
> outside the Nagios team which complicates issues.
> 
> 2.8.3 will be uploaded instead.

Thanks!

About the new upstream version, looks apart the two fixes there were
other changes done, so given we are very short before the full freeze
for bullseye it might be more suitable to just cherry-pick
https://github.com/Icinga/icingaweb2/commit/ffe8741c66af6ea085514a35ec878093b991875c
and
https://github.com/Icinga/icingaweb2/commit/80875d91bbfa52553fe7bb2c1a32a9814880d9c1
?

Can you please double-check with the release team for a pre-approval
of 2.8.3 otherwise?

Regards,
Salvatore

Message #26 received at 991116-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 991116-close@bugs.debian.org

Subject: Bug#991116: fixed in icingaweb2 2.8.3-1~exp1

Date: Wed, 14 Jul 2021 20:52:06 +0000

Source: icingaweb2
Source-Version: 2.8.3-1~exp1
Done: Bas Couwenberg <sebastic@debian.org>

We believe that the bug you reported is fixed in the latest version of
icingaweb2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bas Couwenberg <sebastic@debian.org> (supplier of updated icingaweb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Jul 2021 21:20:48 +0200
Source: icingaweb2
Architecture: source
Version: 2.8.3-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Nagios Maintainer Group <pkg-nagios-devel@lists.alioth.debian.org>
Changed-By: Bas Couwenberg <sebastic@debian.org>
Closes: 991116
Changes:
 icingaweb2 (2.8.3-1~exp1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release.
     - Fixes CVE-2021-32746 & CVE-2021-32747.
     (closes: #991116)
   * Limit watch file to 2.8.x releases.
   * Update copyright file.
Checksums-Sha1:
 1c9d2877f8227210d849ef587fbf529c0f87afb6 2390 icingaweb2_2.8.3-1~exp1.dsc
 7434394cff13deed3c0cc3e51d6c4fe4dd94ed01 8514052 icingaweb2_2.8.3.orig.tar.gz
 7ec6bf889a3c690e54d92612b5f81f6aef09871c 16552 icingaweb2_2.8.3-1~exp1.debian.tar.xz
 d10609dc2b12cca8cdfa3bf50e64ae2a428b3840 8878 icingaweb2_2.8.3-1~exp1_amd64.buildinfo
Checksums-Sha256:
 aa2c0639028b9144664467cb36af3414b81139c412a6280da49dabf440457b9f 2390 icingaweb2_2.8.3-1~exp1.dsc
 c4b1526a75a6042afcbcdfd7dd5f5fc4ec0c0bfcdb6a4f6aba38004af1b87efd 8514052 icingaweb2_2.8.3.orig.tar.gz
 9e4cc7799f5fb186f2fe72798ea54a6f87e065c49c78d454039b024b6f855c16 16552 icingaweb2_2.8.3-1~exp1.debian.tar.xz
 fb52a11031e520b2abe29d614cecc6f63ebb1238038d3903484ebbc3d12d43b6 8878 icingaweb2_2.8.3-1~exp1_amd64.buildinfo
Files:
 2a407ac15a96b9c2604caea3936f54e2 2390 admin optional icingaweb2_2.8.3-1~exp1.dsc
 c8a636e7225e149ae3ae608a2a0d1208 8514052 admin optional icingaweb2_2.8.3.orig.tar.gz
 9ca7f50ad00141ad9ba1e73653c85baf 16552 admin optional icingaweb2_2.8.3-1~exp1.debian.tar.xz
 2c5a644aa5b95e3e3eb350a856a07729 8878 admin optional icingaweb2_2.8.3-1~exp1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEgYLeQXBWQI1hRlDRZ1DxCuiNSvEFAmDvPR8ACgkQZ1DxCuiN
SvGNPw//aFU+f/RZqDa6p43QmqE/ik/EexjY/EN9FzAM76SvTxbx56lPD6BMbX+c
w/vr5KATAXnMzji7jBHyXGWilpc7tfoVcgDhmx9MeuGkJyknOWLYi1yojxKhsQIu
z+REpQ8vO31GObshfhnK99592ogvtIy2d2NLgQaFejwfU8MYTNiMDo5oPb32CDul
KydjjMBlzqY6CP47McX0VitFxbM+k5zbVHaRjim0WtpxbMgCRDNUvZnqs1M+q0Ry
Mf80aDnXkX2Ic786RqKQspG5ljvW3m3Bho0b5O63Vq08OzYXSo1coysYzKI/KeVH
HP3wpH1oplTuJE8p9qKbGXhvNDOxMYg1bTMw+N/3gsFpNlM5jAIMQ41hVfndWspI
CyYrMzGDTXhdkepNZwFAHMNLYrsJa+UEHRdRtITN9NUKcGU/Rq43Fom340TgMnqS
JRS1ERG/l4FxHu68xUkPAzef1dVwatQsVQj3MHEHYY/Bl9k9N51mC/Imkj1FRGyH
7do2QCxFBCGWaCvSGtgDB8WTd4larZyqjeTzqPnNrP+mS54tFqYvpkkBH5WO6KRC
RfsI4IvpDEpPPhRLwouij41Kr14piMF05uoWvIZf3Iua/Y6P2sLE+jICREzpnBG7
h8DToieP8jx4yMXvluqLmmsMYreMHy3Mc9B7iCliJwOOTXcKHlQ=
=+N3V
-----END PGP SIGNATURE-----

Message #31 received at 991116@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

To: Salvatore Bonaccorso <carnil@debian.org>, 991116@bugs.debian.org

Subject: Re: Bug#991116: [Pkg-nagios-devel] Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Date: Thu, 15 Jul 2021 05:47:06 +0200

On 7/14/21 9:50 PM, Salvatore Bonaccorso wrote:
> Can you please double-check with the release team for a pre-approval
> of 2.8.3 otherwise?

Both are no-dsa issues, so it's not worth the effort to fix in bullseye
as experience with mapserver has shown.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Message #36 received at 991116@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Cc: 991116@bugs.debian.org

Subject: Re: Bug#991116: [Pkg-nagios-devel] Bug#991116: icingaweb2: CVE-2021-32746 CVE-2021-32747

Date: Thu, 15 Jul 2021 06:12:01 +0200

Hi,

On Thu, Jul 15, 2021 at 05:47:06AM +0200, Sebastiaan Couwenberg wrote:
> On 7/14/21 9:50 PM, Salvatore Bonaccorso wrote:
> > Can you please double-check with the release team for a pre-approval
> > of 2.8.3 otherwise?
> 
> Both are no-dsa issues, so it's not worth the effort to fix in bullseye
> as experience with mapserver has shown.

We seem to slightly disagreeing here as it seems; no-dsa does not mean
that the issue is not worth the effort to be fixed in that suite, just
that it is not warranted an out of order security advisory update (and
so can be fixed in an upcoming point release instead and batch it with
many other updates).

Regards,
Salvatore

Send a report that this bug log contains spam.