First Last Prev Next    This bug is not in your last search results.
Bug 1189653 - (CVE-2021-37698) VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer
(CVE-2021-37698)
VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/307690/
CVSSv3.1:SUSE:CVE-2021-37698:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-20 13:52 UTC by Gianluca Gabrielli
Modified: 2022-10-25 16:21 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 13:52:48 UTC 
Icinga is a monitoring system which checks the availability of network
resources, notifies users of outages, and generates performance data for
reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter,
InfluxdbWriter and Influxdb2Writer do not verify the server's certificate
despite a certificate authority being specified. Icinga 2 instances which
connect to any of the mentioned time series databases (TSDBs) using TLS over a
spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6,
or 2.11.11 to patch the issue. Such instances should also change the credentials
(if any) used by the TSDB writer feature to authenticate against the TSDB. There
are no workarounds aside from upgrading.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37698
https://github.com/Icinga/icinga2/releases/tag/v2.13.1
https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2
https://github.com/Icinga/icinga2/releases/tag/v2.12.6
https://github.com/Icinga/icinga2/releases/tag/v2.11.11
Comment 1 Gianluca Gabrielli 2021-08-20 13:53:20 UTC 
Affected packages:
 - SUSE:SLE-12-SP2:GA:Products:Update/icinga2  2.8.2
 - openSUSE:Factory/icinga2                    2.13.0
Comment 3 Carlos López 2022-08-12 10:56:32 UTC 
As with bnc#1180147, reassigning to coldpool. SUSE:SLE-12-SP2:GA:Products:Update is tracked as affected.
Comment 4 Petr Gajdos 2022-08-23 10:22:06 UTC 
All 15 backports have icinga2 < 2.13.
Comment 7 Petr Gajdos 2022-09-27 15:28:04 UTC 
(In reply to Gianluca Gabrielli from comment #2)

12sp2:

> [0] https://github.com/Icinga/icinga2/commit/78aa348
ok

> [1] https://github.com/Icinga/icinga2/commit/037944a
not applicable

> [2] https://github.com/Icinga/icinga2/commit/8da90d4
ok

> [3] https://github.com/Icinga/icinga2/commit/5c35ab5
not applicable
Comment 8 Petr Gajdos 2022-09-29 08:08:22 UTC 
Submitted for 12sp2/icinga2.
Comment 10 Swamp Workflow Management 2022-10-25 16:21:35 UTC 
SUSE-SU-2022:3725-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172171,1180147,1189653
CVE References: CVE-2020-14004,CVE-2020-29663,CVE-2021-37698
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    icinga2-2.8.2-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.