We’re releasing today multiple minor versions of Icinga Web 2 to fix a security issue that has been reported recently.

The vulnerability in question allows an attacker to access arbitrary files which are readable by the process running Icinga Web 2.

It has been registered as CVE-2020-24368. Technical details can be found on Github.

 

Are we affected?

A successful attack requires an installed module that serves its own icons and images. If such a module is not installed, you’re safe. Known and publicly available modules matching this criteria:

We would like to emphasize that a module itself is NOT the cause nor affected. None of the listed modules require a fix in this regard.

If you have such a module installed, the only way to check if you’ve already been a victim of this vulnerability is by inspecting the web server’s access log. Manifestations of such a request in the access log can be identified with this command:

grep -Pie '(?<=GET|POST ).+/static/img?(.*file=((\.|%2e)(\.|%2e)(/|%2f)){3,}\S*| )' access.log​

 

Next Steps

We provide updates for the Icinga Web 2 versions 2.6, 2.7 and 2.8 in our official repositories and recommend to upgrade your installation as soon as possible. If you’re on a legacy version and don’t want to upgrade to 2.8.x, you may use the following to perform a minor upgrade:

RHEL/SLES
from 2.7.x: yum install icingaweb2*2.7.4 icingacli-2.7.4 php-Icinga-2.7.4
from 2.6.x: yum install icingaweb2*2.6.4 icingacli-2.6.4 php-Icinga-2.6.4

Debian/Ubuntu
from 2.7.x: apt-get upgrade icingaweb2=2.7.4* icingaweb2-common=2.7.4* php-icinga=2.7.4*
from 2.6.x: apt-get upgrade icingaweb2=2.6.4* icingaweb2-common=2.6.4* php-icinga=2.6.4*

We also reached out to package maintainers of community repositories to coordinate our efforts and bring the updates quickly to each installation.

A very special thank you goes to our partner Würth Phoenix, for reporting and handling this issue responsibly!