icinga2: Multiple vulnerabilities (CVE-2018-6532, CVE-2018-6534, CVE-2018-6535)
CVE-2018-6532: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted (authenticated and unauthenticated)
requests, an attacker can exhaust a lot of memory on the server side,
triggering the OOM killer.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6103
https://nvd.nist.gov/vuln/detail/CVE-2018-6532
CVE-2018-6534: An issue was discovered in Icinga 2.x through 2.8.1.
By sending specially crafted messages,
an attacker can cause a NULL pointer dereference, which can cause the
product to crash.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/6104
https://nvd.nist.gov/vuln/detail/CVE-2018-6534
CVE-2018-6535: An issue was discovered in Icinga 2.x through 2.8.1.
The lack of a constant-time
password comparison function can disclose the password to an attacker.
Fixed in Version:
Icinga 2.8.2.
References:
http://openwall.com/lists/oss-security/2018/03/22/3
https://github.com/Icinga/icinga2/pull/5715
https://nvd.nist.gov/vuln/detail/CVE-2018-6535
(from redmine: issue id 8714, created on 2018-03-23, closed on 2018-03-29)
- Relations:
- copied_to #8716 (closed)
- child #8715 (closed)
- child #8716 (closed)