Headline
Gentoo Linux Security Advisory 202208-05
Gentoo Linux Security Advisory 202208-5 - Multiple vulnerabilities have been found in Icinga Web 2, the worst of which could result in remote code execution. Versions less than 2.9.6 are affected.
Gentoo Linux Security Advisory GLSA 202208-05
https://security.gentoo.org/
Severity: High
Title: Icinga Web 2: Multiple Vulnerabilities
Date: August 04, 2022
Bugs: #738024, #834802
ID: 202208-05
Synopsis
Multiple vulnerabilities have been found in Icinga Web 2, the worst of
which could result in remote code execution.
Background
Icinga Web 2 is a frontend for icinga2.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/icingaweb2 < 2.9.6 >= 2.9.6
Description
Multiple vulnerabilities have been discovered in Icinga Web 2. Please
review the CVE identifiers referenced below for details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All Icinga Web 2 users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-apps/icingaweb2-2.9.6”
References
[ 1 ] CVE-2020-24368
https://nvd.nist.gov/vuln/detail/CVE-2020-24368
[ 2 ] CVE-2022-24714
https://nvd.nist.gov/vuln/detail/CVE-2022-24714
[ 3 ] CVE-2022-24715
https://nvd.nist.gov/vuln/detail/CVE-2022-24715
[ 4 ] CVE-2022-24716
https://nvd.nist.gov/vuln/detail/CVE-2022-24716
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202208-05
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2022 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Open source IT monitoring system gets patched
Open source IT monitoring system gets patched
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2. Users unable to upgrade should limit access to the Icinga Web 2 configuration.
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Installations of Icinga 2 with the IDO writer enabled are affected. If you use service custom variables in role restrictions, and you regularly decommission service objects, users with said roles may still have access to a collection of content. Note that this only applies if a role has implicitly permitted access to hosts, due to permitted access to at least one of their services. If access to a host is permitted by other means, no sensible information has been disclosed to unauthorized users. This issue has been resolved in versions 2.8.6, 2.9.6 and 2.10 of Icinga Web 2.
Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Directory Traversal vulnerability which allows an attacker to access arbitrary files that are readable by the process running Icinga Web 2. This issue is fixed in Icinga Web 2 in v2.6.4, v2.7.4 and v2.8.2.