Source: icinga2 Version: 2.14.2-1 Severity: grave Tags: upstream security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear Maintainer, I'm pretty sure you're aware, nevertheless here is the but report: https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/ Today, we are releasing security updates for Icinga 2 fixing a critical vulnerability that allowed to bypass the certificate validation for JSON-RPC and HTTP API connections. Impact The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). By impersonating a trusted cluster node like a master or satellite, an attacker can supply a malicious configuration update to other nodes (if the accept_config attribute of the ApiListener object is set to true) or instruct the other node to execute malicious commands directly (if the accept_commands attribute of the ApiListener object is set to true). These attributes are expected to be set in most distributed installations, but in case they are not, an attacker can still retrieve potentially sensitive information. When impersonating API users, the impact depends on the permissions configured for the individual users using certificate authentication. This may include permissions like updating the configuration and executing commands as well. We expect most installations to be affected by this vulnerability and recommend upgrading as soon as possible. P.S.S Ignore the version information below, however stable & oldstable are affected too. Hilmar -- System Information: Debian Release: 12.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: arm64 (aarch64) Foreign Architectures: armhf Kernel: Linux 6.6.51+rpt-rpi-v8 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_CRAP Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
signature.asc
Description: PGP signature
