CVE-2024-49369

high-risk

Published 2024-11-12

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

Do I need to act?

22.5% chance of exploitation in next 30 days

EPSS score — higher than 77% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Icinga

Debian Linux

Affected Vendors

Debian Icinga

References (8)

Patch https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3...

Patch https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad...

Patch https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393f...

Patch https://github.com/Icinga/icinga2/commit/869a7d6f0fe38c748e67bacc1fbdd42c933030f...

Patch https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a82083...

Patch https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv

Release Notes https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3

Mailing List https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 14/34 · Moderate

Exposure 7/34 · Low