Today’s security update for Icinga2 addresses several security vulnerabilities. Two of them are particularly critical. An update is absolutely necessary. An unauthenticated attacker can use this to take over or crash Icinga 2 processes over the network. The remaining updates apply only to authenticated API users. Find out here exactly what’s affected, how high the risk is for your setup, and how to update in just a few minutes.
The Vulnerabilities in Detail
GHSA-vj39-ww8j-vvx5 ( CVE pending)
The code for processing JSON-RPC messages for certificate updates was faulty and did not correctly validate the message sender. This allowed unauthenticated attackers to use the connection to Icinga2 to update both their own certificate and the trusted CA certificate. By updating the trusted CA, an attacker can impersonate a trusted node and thereby take control of the node.
GHSA-wh38-wg57-5w7g (CVE pending)
An attacker can trigger a stack overflow in Icinga 2 by sending manipulated JSON. The affected code is also accessible to unauthenticated clients and can be exploited to crash the Icinga 2 process. Since this is a stack overflow, the possibility of code execution cannot be ruled out, although it has not yet been proven.
GHSA-jgqj-x5j9-vgcm (CVE pending)
When creating configuration objects via the /v1/objects API endpoint, the template names were carried over into the resulting Icinga 2 configuration without being properly sanitized. As a result, API users with permission to create configurations were able to inject arbitrary configuration content and thereby gain elevated privileges.
We have requested CVE numbers from the GHSA and will add them here once they have been assigned.
Additional fixes in this release
- A bug has been fixed that caused /v1/config/files to send uninitialized memory in the event of file I/O errors.
- Windows: Update the bundled OpenSSL to v3.5.7 for Icinga 2 v2.16.2 and to v3.0.21 for Icinga 2 v2.15.4 and v2.14.9
- In addition, a new permission called ” filter-expression ” is being introduced . This setting determines whether individual API users are allowed to use DSL filter expressions in API requests. This allows API users who do not need this feature to further restrict their access—for example, those who only submit individual check results. Since this change is not backward-compatible, the permission is only enforced optionally up to v2.17.
For more details, see the upgrade documentation.
Patches
These issues were addressed in the following versions:
- v2.16.2
- v2.15.4
- v2.14.9
You can find the source code for the new versions in the Icinga 2 Git repository. Updated binary packages are available at packages.icinga.com and in the Icinga for Windows repository. Updated container images are available on Docker Hub.
Acknowledgments
Special thanks to TristanInSec and de3erve-hunter! While the Icinga team was working on the release, GHSA-jgqj-x5j9-vgcm independently brought the issue to their attention.
