Bug 1189653 - (CVE-2021-37698) VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer
(CVE-2021-37698)
VUL-0: CVE-2021-37698: icinga2: Missing TLS server certificate validation in ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: package coldpool
Security Team bot
https://smash.suse.de/issue/307690/
CVSSv3.1:SUSE:CVE-2021-37698:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-20 13:52 UTC by Gianluca Gabrielli
Modified: 2022-08-12 10:56 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 13:52:48 UTC
Icinga is a monitoring system which checks the availability of network
resources, notifies users of outages, and generates performance data for
reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter,
InfluxdbWriter and Influxdb2Writer do not verify the server's certificate
despite a certificate authority being specified. Icinga 2 instances which
connect to any of the mentioned time series databases (TSDBs) using TLS over a
spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6,
or 2.11.11 to patch the issue. Such instances should also change the credentials
(if any) used by the TSDB writer feature to authenticate against the TSDB. There
are no workarounds aside from upgrading.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37698
https://github.com/Icinga/icinga2/releases/tag/v2.13.1
https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2
https://github.com/Icinga/icinga2/releases/tag/v2.12.6
https://github.com/Icinga/icinga2/releases/tag/v2.11.11
Comment 1 Gianluca Gabrielli 2021-08-20 13:53:20 UTC
Affected packages:
 - SUSE:SLE-12-SP2:GA:Products:Update/icinga2  2.8.2
 - openSUSE:Factory/icinga2                    2.13.0
Comment 3 Carlos López 2022-08-12 10:56:32 UTC
As with bnc#1180147, reassigning to coldpool. SUSE:SLE-12-SP2:GA:Products:Update is tracked as affected.