Candidate: CVE-2021-37698
PublicDate: 2021-08-19 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37698
 https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2
 https://icinga.com/blog/2021/08/19/icinga-2-13-1-security-release/
 https://github.com/Icinga/icinga2/releases/tag/v2.13.1
 https://github.com/Icinga/icinga2/releases/tag/v2.12.6
 https://github.com/Icinga/icinga2/releases/tag/v2.11.11
Description:
 Icinga is a monitoring system which checks the availability of network
 resources, notifies users of outages, and generates performance data for
 reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter,
 GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's
 certificate despite a certificate authority being specified. Icinga 2
 instances which connect to any of the mentioned time series databases
 (TSDBs) using TLS over a spoofable infrastructure should immediately
 upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such
 instances should also change the credentials (if any) used by the TSDB
 writer feature to authenticate against the TSDB. There are no workarounds
 aside from upgrading.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_icinga2:
upstream_icinga2: released (2.13.1-1)
trusty_icinga2: ignored (out of standard support)
trusty/esm_icinga2: DNE
xenial_icinga2: ignored (out of standard support)
bionic_icinga2: needs-triage
focal_icinga2: needs-triage
hirsute_icinga2: ignored (reached end-of-life)
impish_icinga2: needs-triage
jammy_icinga2: needs-triage
devel_icinga2: needs-triage