Today we’re releasing the security and bugfix versions 2.13.1, 2.12.6 and 2.11.11. The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer.
In addition, 2.13.1 also fixes two issues introduced with 2.13.0.
Security (2.13.1, 2.12.6, 2.11.11)
CVE-2021-37698 – Add TLS server certificate validation to ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer
Despite a CA being specified, none of the TSDB writers verify the server’s certificate. This results in a spoofable connection between Icinga 2 and the metrics server. Icinga 2 instances which connect to any of the mentioned TSDBs using TLS over a spoofable infrastructure should immediately upgrade and change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB.
Bugfixes (2.13.1)
- IDO PgSQL: Fix a string quoting regression introduced in 2.13.0 #8958
- ApiListener: Automatically fall back to IPv4 in default configuration on systems without IPv6 support #8961
