Bug 1189653 - (CVE-2021-37698) VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer
VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-08-20 13:52 UTC by Gianluca Gabrielli
Modified: 2022-10-25 16:21 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 13:52:48 UTC
Icinga is a monitoring system which checks the availability of network
resources, notifies users of outages, and generates performance data for
reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter,
InfluxdbWriter and Influxdb2Writer do not verify the server's certificate
despite a certificate authority being specified. Icinga 2 instances which
connect to any of the mentioned time series databases (TSDBs) using TLS over a
spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6,
or 2.11.11 to patch the issue. Such instances should also change the credentials
(if any) used by the TSDB writer feature to authenticate against the TSDB. There
are no workarounds aside from upgrading.

Comment 1 Gianluca Gabrielli 2021-08-20 13:53:20 UTC
Affected packages:
 - SUSE:SLE-12-SP2:GA:Products:Update/icinga2  2.8.2
 - openSUSE:Factory/icinga2                    2.13.0
Comment 3 Carlos López 2022-08-12 10:56:32 UTC
As with bnc#1180147, reassigning to coldpool. SUSE:SLE-12-SP2:GA:Products:Update is tracked as affected.
Comment 4 Petr Gajdos 2022-08-23 10:22:06 UTC
All 15 backports have icinga2 < 2.13.
Comment 7 Petr Gajdos 2022-09-27 15:28:04 UTC
(In reply to Gianluca Gabrielli from comment #2)


> [0] https://github.com/Icinga/icinga2/commit/78aa348

> [1] https://github.com/Icinga/icinga2/commit/037944a
not applicable

> [2] https://github.com/Icinga/icinga2/commit/8da90d4

> [3] https://github.com/Icinga/icinga2/commit/5c35ab5
not applicable
Comment 8 Petr Gajdos 2022-09-29 08:08:22 UTC
Submitted for 12sp2/icinga2.
Comment 10 Swamp Workflow Management 2022-10-25 16:21:35 UTC
SUSE-SU-2022:3725-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1172171,1180147,1189653
CVE References: CVE-2020-14004,CVE-2020-29663,CVE-2021-37698
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for HPC 12 (src):    icinga2-2.8.2-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.