-------------------------------------------------------------------------
Debian LTS Advisory DLA-3953-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
November 16, 2024                             https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : icinga2
Version        : 2.12.3-1+deb11u1
CVE ID         : CVE-2021-32739 CVE-2021-32743 CVE-2021-37698 CVE-2024-49369
Debian Bug     : 991494 1087384

Icinga 2 is a general-purpose monitoring application to fit the needs
of any size of network.

CVE-2021-32739

    From version 2.4.0 through version 2.12.4, a vulnerability exists that
    may allow privilege escalation for authenticated API users. With a
    read-only user's credentials, an attacker can view most attributes of
    all config objects including `ticket_salt` of `ApiListener`. This salt
    is enough to compute a ticket for every possible common name (CN). A
    ticket, the master node's certificate, and a self-signed certificate are
    enough to successfully request the desired certificate from Icinga. That
    certificate may in turn be used to steal an endpoint or API user's
    identity.

CVE-2021-32743

    In versions prior to 2.11.10 and from version 2.12.0 through version
    2.12.4, some of the Icinga 2 features that require credentials for
    external services expose those credentials through the API to
    authenticated API users with read permissions for the corresponding
    object types. An attacker who obtains these credentials can impersonate
    Icinga to these services and add, modify and delete information there.

CVE-2021-37698

    In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter,
    InfluxdbWriter and Influxdb2Writer do not verify the server's certificate
    despite a certificate authority being specified. Icinga 2 instances which
    connect to any of the mentioned time series databases (TSDBs) using TLS
    over a spoofable infrastructure should change the credentials (if any)
    used by the TSDB writer feature to authenticate against the TSDB.

CVE-2024-49369

    The TLS certificate validation in all Icinga 2 versions starting from
    2.4.0 was flawed, allowing an attacker to impersonate both trusted
    cluster nodes as well as any API users that use TLS client certificates
    for authentication (ApiUser objects with the client_cn attribute set).

For Debian 11 bullseye, these problems have been fixed in version
2.12.3-1+deb11u1.

We recommend that you upgrade your icinga2 packages.

For the detailed security status of icinga2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/icinga2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS