Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN734
_____________________________________________________________________

DATE                : 27/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Icinga 2 versions prior to
                            2.15.1, 2.14.7, 2.13.13.

=====================================================================
https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v
https://github.com/Icinga/icinga2/security/advisories/GHSA-v9jg-xqhj-f43g
https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46
_____________________________________________________________________


API users could access restricted values in filter expressions
High
julianbrost published GHSA-gg32-w9rm-vp2v Oct 16, 2025

Package
Icinga 2

Affected versions
>=2.4, <=2.15.0

Patched versions
2.15.1, 2.14.7, 2.13.13


Description

Impact

Filter expressions provided to the various /v1/objects could access
variables or objects that would otherwise be inaccessible for the
user. This can allow authenticated API users to learn information
that should be hidden from them.


Patches

A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7,
and 2.13.13.

In order to fix this, the following changes for filter expressions
supplied in API request:

    Global variables can only be used in filter expressions if the
user is allowed to see them according to the variables permission
(as used by /v1/variables).

    The get_object() function now only returns an object if the user
is allowed to see it according tot he corresponding
objects/query/<type> permission (as used by /v1/objects).

    The following function can no longer be used in API filter
expressions: get_objects(), get_template(), get_templates(),
getenv().


Workarounds

The weakness can only be exploited by authenticated API users, thus
API access can be limited to trusted users only. There is no
practical workaround to prevent authenticated users from exploiting
it because it would require removing permissions from that user
that grant access to endpoints that accept filter expressions
(which includes /v1/actions and /v1/objects).


References

    Security Release Announcement


Severity
High
7.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality Low
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

CVE ID
CVE-2025-61907

Weaknesses
Weakness CWE-200
Weakness CWE-204
Weakness CWE-749


Credits

    @Al2Klimov Al2Klimov Finder


_____________________________________________________________________


Denial of Service (DoS) By Dereferencing Invalid Reference
High
julianbrost published GHSA-v9jg-xqhj-f43g Oct 16, 2025

Package
Icinga 2

Affected versions
>=2.10.0, <=2.15.0

Patched versions
2.15.1, 2.14.7, 2.13.13


Description

Impact

When creating an invalid reference, such as a reference to null,
dereferencing results in a segmentation fault. This can be used
by any API user with access to an API endpoint that allows
specifying a filter expression to crash the Icinga 2 daemon.


Patches

A fix is included in the following Icinga 2 versions: 2.15.1,
2.14.7, and 2.13.13.


Workarounds

The weakness can only be exploited by authenticated API users,
thus API access can be limited to trusted users only. There is
no practical workaround to prevent authenticated users from
exploiting it because it would require removing permissions from
that user that grant access to endpoints that accept filter
expressions (which includes /v1/actions and /v1/objects).


References

    Introduced in Icinga 2.10.0, #6521.
    Security Release Announcement


Severity
High
7.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2025-61908

Weaknesses
Weakness CWE-476


Credits

    @oxzi oxzi Finder


_____________________________________________________________________


Signals sent as root to processes based on PID file written by the
Icinga 2 daemon user
Moderate
julianbrost published GHSA-pg6g-g99v-mw46 Oct 16, 2025

Package
Icinga 2

Affected versions
<=2.15.0

Patched versions
2.15.1, 2.14.7, 2.13.13


Description

Impact

The safe-reload script (also used during systemctl reload icinga2) and
logrotate configuration shipped with Icinga 2 read the PID of the main
Icinga 2 process from a PID file writable by the daemon user, but send
the signal as the root user. This can allow the Icinga user to send
signals to processes it would otherwise not permitted to.


Patches

A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7,
and 2.13.13.


Warning

The fix to the logrotate configuration is inside the
/etc/logrotate.d/icinga2 file. This file is tracked as a configuration
file by package manager and may not be updated automatically if that
file was modified locally. After upgrading, make sure to check if
there are any files with an extension like .dpkg-dist or .rpmnew next
to it. If so, you need to incorporate the changes into your
configuration manually.

If the file uses the command "$DAEMON" internal
signal --sig SIGHUP --pid "$pid" (instead of kill -HUP "$pid"), it
was upgraded correctly.


Workarounds

Both problems arise from calling the kill binary from shell scripts
or configuration files. These can also be changed without upgrading
the Icinga 2 packages. This can be used to temporarily disable these
actions (at the cost of functionality).


References

    Security Release Announcement
    Source code patch: 51ec73c
    Original report: #10527


Severity
Moderate
4.0/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required High
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability High
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CVE ID
CVE-2025-61909

Weaknesses
Weakness CWE-250 


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================