Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:3725-1

Опубликовано: 25 окт. 2022
Источник: suse-cvrf

Описание

Security update for icinga2

This update for icinga2 fixes the following issues:

  • CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context. (bsc#1172171)
  • CVE-2020-29663: ignoring CRL, where revoked certificates due for renewal will automatically be renewed. (bsc#281137)
  • CVE-2021-37698: Missing TLS server certificate validation in ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer. (bsc#281137)

Список пакетов

SUSE Linux Enterprise Module for HPC 12
icinga2-2.8.2-3.6.1
icinga2-bin-2.8.2-3.6.1
icinga2-common-2.8.2-3.6.1
icinga2-doc-2.8.2-3.6.1
icinga2-ido-mysql-2.8.2-3.6.1
icinga2-ido-pgsql-2.8.2-3.6.1
icinga2-libs-2.8.2-3.6.1
vim-icinga2-2.8.2-3.6.1

Ссылки

Описание

An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.

Затронутые продукты
SUSE Linux Enterprise Module for HPC 12:icinga2-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-bin-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-common-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-doc-2.8.2-3.6.1
Ссылки

Описание

Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3.

Затронутые продукты
SUSE Linux Enterprise Module for HPC 12:icinga2-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-bin-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-common-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-doc-2.8.2-3.6.1
Ссылки

Описание

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.

Затронутые продукты
SUSE Linux Enterprise Module for HPC 12:icinga2-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-bin-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-common-2.8.2-3.6.1
SUSE Linux Enterprise Module for HPC 12:icinga2-doc-2.8.2-3.6.1
Ссылки