icinga2-2.13.1-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10856-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z icinga2-2.13.1-1.3 on GA media These are all security issues fixed in the icinga2-2.13.1-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10856 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-16933/ SUSE CVE CVE-2017-16933 page https://www.suse.com/security/cve/CVE-2018-6534/ SUSE CVE CVE-2018-6534 page https://www.suse.com/security/cve/CVE-2020-14004/ SUSE CVE CVE-2020-14004 page https://www.suse.com/security/cve/CVE-2020-29663/ SUSE CVE CVE-2020-29663 page https://www.suse.com/security/cve/CVE-2021-32739/ SUSE CVE CVE-2021-32739 page https://www.suse.com/security/cve/CVE-2021-32743/ SUSE CVE CVE-2021-32743 page https://www.suse.com/security/cve/CVE-2021-37698/ SUSE CVE CVE-2021-37698 page openSUSE Tumbleweed icinga2-2.13.1-1.3 icinga2-bin-2.13.1-1.3 icinga2-common-2.13.1-1.3 icinga2-doc-2.13.1-1.3 icinga2-ido-mysql-2.13.1-1.3 icinga2-ido-pgsql-2.13.1-1.3 nano-icinga2-2.13.1-1.3 vim-icinga2-2.13.1-1.3 icinga2-2.13.1-1.3 as a component of openSUSE Tumbleweed icinga2-bin-2.13.1-1.3 as a component of openSUSE Tumbleweed icinga2-common-2.13.1-1.3 as a component of openSUSE Tumbleweed icinga2-doc-2.13.1-1.3 as a component of openSUSE Tumbleweed icinga2-ido-mysql-2.13.1-1.3 as a component of openSUSE Tumbleweed icinga2-ido-pgsql-2.13.1-1.3 as a component of openSUSE Tumbleweed nano-icinga2-2.13.1-1.3 as a component of openSUSE Tumbleweed vim-icinga2-2.13.1-1.3 as a component of openSUSE Tumbleweed etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link. CVE-2017-16933 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-16933.html CVE-2017-16933 https://bugzilla.suse.com/1086673 SUSE Bug 1086673 https://bugzilla.suse.com/1086676 SUSE Bug 1086676 An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash. CVE-2018-6534 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-6534.html CVE-2018-6534 https://bugzilla.suse.com/1086674 SUSE Bug 1086674 An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user. CVE-2020-14004 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14004.html CVE-2020-14004 https://bugzilla.suse.com/1172171 SUSE Bug 1172171 Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3. CVE-2020-29663 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-29663.html CVE-2020-29663 https://bugzilla.suse.com/1180147 SUSE Bug 1180147 Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attributes of all config objects including `ticket_salt` of `ApiListener`. This salt is enough to compute a ticket for every possible common name (CN). A ticket, the master node's certificate, and a self-signed certificate are enough to successfully request the desired certificate from Icinga. That certificate may in turn be used to steal an endpoint or API user's identity. Versions 2.12.5 and 2.11.10 both contain a fix the vulnerability. As a workaround, one may either specify queryable types explicitly or filter out ApiListener objects. CVE-2021-32739 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32739.html CVE-2021-32739 https://bugzilla.suse.com/1188372 SUSE Bug 1188372 Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule. CVE-2021-32743 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-32743.html CVE-2021-32743 https://bugzilla.suse.com/1188370 SUSE Bug 1188370 Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading. CVE-2021-37698 openSUSE Tumbleweed:icinga2-2.13.1-1.3 openSUSE Tumbleweed:icinga2-bin-2.13.1-1.3 openSUSE Tumbleweed:icinga2-common-2.13.1-1.3 openSUSE Tumbleweed:icinga2-doc-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-mysql-2.13.1-1.3 openSUSE Tumbleweed:icinga2-ido-pgsql-2.13.1-1.3 openSUSE Tumbleweed:nano-icinga2-2.13.1-1.3 openSUSE Tumbleweed:vim-icinga2-2.13.1-1.3 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-37698.html CVE-2021-37698 https://bugzilla.suse.com/1189653 SUSE Bug 1189653