CVE-2021-37698
HIGHIcinga 2.5.0-2.13.0 - Improper Certificate Validation in Writers
Title source: llmDescription
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2 instances which connect to any of the mentioned time series databases (TSDBs) using TLS over a spoofable infrastructure should immediately upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Such instances should also change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds aside from upgrading.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_confirm
https://github.com/Icinga/icinga2/security/advisories/GHSA-cxfm-8j5v-5qr2
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Icinga/icinga2/releases/tag/v2.11.11
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Icinga/icinga2/releases/tag/v2.12.6
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Icinga/icinga2/releases/tag/v2.13.1
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html
Scores
CVSS v3
7.5
EPSS
0.0142
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-295
Status
published
Products (2)
debian/debian_linux
9.0
icinga/icinga
2.5.0 - 2.11.10
Published
Aug 19, 2021
Tracked Since
Feb 18, 2026