https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/ Today, we are releasing security updates for Icinga 2 fixing a critical vulnerability that allowed to bypass the certificate validation for JSON-RPC and HTTP API connections. Impact The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). By impersonating a trusted cluster node like a master or satellite, an attacker can supply a malicious configuration update to other nodes (if the accept_config attribute of the ApiListener object is set to true) or instruct the other node to execute malicious commands directly (if the accept_commands attribute of the ApiListener object is set to true). These attributes are expected to be set in most distributed installations, but in case they are not, an attacker can still retrieve potentially sensitive information. When impersonating API users, the impact depends on the permissions configured for the individual users using certificate authentication. This may include permissions like updating the configuration and executing commands as well. We expect most installations to be affected by this vulnerability and recommend upgrading as soon as possible. Patches The following fixed versions were released: v2.14.3 v2.13.10 v2.12.11 v2.11.12 The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com and the Icinga for Windows repository. Updated container images are available on Docker Hub. Updated Helm Charts are provided in the corresponding repository. Given the severity of the issue, users are advised to upgrade immediately. Workarounds There is no known way to work around this in Icinga 2. Access to the Icinga 2 API port can be restricted using firewalls to reduce the impact. Details In order to allow some time for patching, the full report with more details on the vulnerability including how to reproduce it will be released in two weeks on 2024-11-26. Acknowledgements We would like to thank Finn Steglich for finding and reporting this issue. References GitHub Security Advisory Patch (source code): master branch, v2.14.3, v2.13.10, v2.12.11, v2.11.12 For more information If you have any questions or comments about this advisory, please ask in our community forum or email us at info@icinga.com. For reporting possible security issues, please see the information on our website.
Updated with quick stable from 2.14.2 to 2.14.3, removed 2.14.2.
Thank you Matthew
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=c0074768f3370d9e4501ee33392fe6fdba1a4f12 commit c0074768f3370d9e4501ee33392fe6fdba1a4f12 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-12-07 10:38:13 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-12-07 10:38:23 +0000 [ GLSA 202412-08 ] icinga2: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/760660 Bug: https://bugs.gentoo.org/943329 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202412-08.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
