Crunsher

**Name of the Vulnerable Software and Affected Versions** Icinga versions 2.x through 2.8.1 **Description** An issue allows an attacker to exhaust a lot of memory on the server side by sending specially crafted requests, triggering the OOM killer. This can be done through both authenticated and unauthenticated requests. **Recommendations** For versions 2.x through 2.8.1, update to a version that contains a fix for this issue to prevent memory exhaustion attacks.

**Name of the Vulnerable Software and Affected Versions** Icinga versions 2.x through 2.8.1 **Description** An issue was discovered that allows Icinga 2 to be run as root by editing the init.conf file, enabling the program to execute arbitrary code as root. This issue was resolved by changing how account information is determined for root-executed code. **Recommendations** For Icinga versions 2.x through 2.8.1, update the software to a version where the issue of using init.conf to determine account information for root-executed code has been fixed.

**Name of the Vulnerable Software and Affected Versions** Icinga versions 2.x through 2.8.1 **Description** An issue was discovered that allows an attacker to cause a NULL pointer dereference by sending specially crafted messages, potentially causing the product to crash. **Recommendations** For versions 2.x through 2.8.1, update to a version later than 2.8.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Icinga versions 2.x through 2.8.1 **Description** An issue in the password comparison function can disclose the password to an attacker due to the lack of a constant-time comparison, potentially allowing attackers to exploit this and gain unauthorized access. **Recommendations** For versions 2.x through 2.8.1, update to a version that includes a constant-time password comparison function to prevent password disclosure.