Debian: DLA-2816-1 Critical: Icinga2 Multiple Threats Detected
debian lts
November 10, 2021
Several vulnerabilities were discovered in Icinga 2, a general-purpose monitoring application
Summary
CVE-2021-32739
A vulnerability exists that may allow privilege escalation for
authenticated API users. With a read-ony user's credentials, an
attacker can view most attributes of all config objects including
`ticket_salt` of `ApiListener`. This salt is enough to compute a
ticket for every possible common name (CN). A ticket, the master
node's certificate, and a self-signed certificate are enough to
successfully request the desired certificate from Icinga. That
certificate may in turn be used to steal an endpoint or API user's
identity. See also complementary manual procedures:
https://icinga.com/blog/releasing-icinga-2-12-5-and-2-11-10/
https://icinga.com/blog/releasing-icinga-2-12-5-and-2-11-10/
CVE-2021-32743
Some of the Icinga 2 features that require credentials for
external services expose those credentials through the API to
authenticated API users with read permissions for the
corresponding object types. IdoMysqlConnection and
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: icinga2
Version: 2.6.0-2+deb9u2
CVE ID: CVE-2021-32739 CVE-2021-32743 CVE-2021-37698
Debian Bug: 991494
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!