Headline
CVE-2022-24715
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Impact
Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code.
Patches
This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Workaround
Limit access to the configuration to yourself or users you can trust.
Who Is Affected
- Check the configured module paths in the general configuration for suspicious entries.
- Check the file /etc/icingaweb2/resources.ini (The path may vary, depending on your configuration) and look for sections with the option type set to ssh. If all other options of such a section look normal, you’re not affected.
References
Further technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by asking for assistance on the forums
Related news
Gentoo Linux Security Advisory 202208-5 - Multiple vulnerabilities have been found in Icinga Web 2, the worst of which could result in remote code execution. Versions less than 2.9.6 are affected.
Open source IT monitoring system gets patched