Today, we are releasing security updates for Icinga 2 fixing multiple security issues. Users are advised to upgrade immediately, as two of them allow an unauthenticated attacker to take over or crash the Icinga 2 process over the network. The other security fixes only affect authenticated API users.
Vulnerabilities
- GHSA-vj39-ww8j-vvx5 (CVE pending)
- The code handling certificate update JSON-RPC messages was flawed and did not properly validate the sender of the message, allowing an unauthenticated attacker that can connect to Icinga 2 to update both the own certificate as well as the trusted CA certificate. Updating the trusted CA allows an attacker to impersonate a trusted node, allowing them to take control over the node.
- GHSA-wh38-wg57-5w7g (CVE pending)
- An attacker can trigger a stack overflow in Icinga 2 by sending crafted JSON. The affected code is also reachable by unauthenticated clients and can be used to crash the Icinga 2 process. Due to the issue being a stack overflow, the possibility of this leading to code execution can’t be ruled out, but hasn’t been demonstrated yet.
- GHSA-jgqj-x5j9-vgcm (CVE pending)
- When creating config objects via the /v1/objects API endpoint, the template names from the request were written to the resulting Icinga 2 config files without proper sanitization, allowing any
ApiUserwith the permission to create configuration to inject arbitrary configuration that allows them to escalate their privileges.
We have requested CVE numbers for these GHSAs and will add them here once they have been assigned.
Additional Fixes
- Fix that
/v1/config/filescould send uninitialized memory in case of file I/O errors - Windows: Update bundled OpenSSL to v3.5.7 for Icinga 2 v2.16.2 and v3.0.21 for Icinga 2 v2.15.4 and v2.14.9
In addition, a new permission named filter-expression is introduced, which allows specifying if individual API users are allowed to use DSL filter expressions in API queries. This allows further restricting some API users that don’t need this capability, for example, those only submitting individual check results. Due to the incompatibility of this change, enforcement of this permission is opt-in until v2.17; see the upgrading docs for details.
Patches
The issues were addressed in the following versions:
The source code for the new versions can be found in the Icinga 2 Git repository. Updated binary packages are available on packages.icinga.com and the Icinga for Windows repository. Updated container images are available on Docker Hub.
Acknowledgements
While working on a release with the fix, the issue in GHSA-jgqj-x5j9-vgcm was reported independently by TristanInSec and de3erve-hunter.
For more information
If you have any questions or comments about this advisory, please ask in our community forum or email us at info@icinga.com.
For reporting possible security issues, please see the information on our website.
