CVE-2021-37698

Name of the Vulnerable Software and Affected Versions Icinga versions 2.5.0 through 2.13.0

Description Icinga is a monitoring system that checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The issue arises in the ElasticsearchWriter, GelfWriter, InfluxdbWriter, and Influxdb2Writer components, which do not verify the server's certificate despite a certificate authority being specified. This affects Icinga 2 instances that connect to time series databases (TSDBs) using TLS over a spoofable infrastructure.

Recommendations For Icinga versions 2.5.0 through 2.13.0, upgrade to version 2.13.1, 2.12.6, or 2.11.11 to patch the issue. Change the credentials (if any) used by the TSDB writer feature to authenticate against the TSDB. Note that there are no workarounds aside from upgrading.