From 8910abc5882774c067dfc22cdf8bf8b830257608 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Fri, 13 Aug 2021 09:28:57 +0200 Subject: [PATCH 1/6] Enable hostname verification in UnbufferedAsioTlsStream --- lib/base/tlsstream.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp index b72a88030..db54c919e 100644 --- a/lib/base/tlsstream.cpp +++ b/lib/base/tlsstream.cpp @@ -37,6 +37,10 @@ void UnbufferedAsioTlsStream::BeforeHandshake(handshake_type type) { namespace ssl = boost::asio::ssl; + if (!m_Hostname.IsEmpty()) { + X509_VERIFY_PARAM_set1_host(SSL_get0_param(native_handle()), m_Hostname.CStr(), m_Hostname.GetLength()); + } + set_verify_mode(ssl::verify_peer | ssl::verify_client_once); set_verify_callback([this](bool preverified, ssl::verify_context& ctx) { From bf535969ac23962b65b72ea3893c6b384e1d3218 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 12 Aug 2021 16:42:23 +0200 Subject: [PATCH 2/6] ElasticsearchWriter: actually verify TLS server certificates And add a new option insecure_noverify to explicitly disable it if desired. --- doc/09-object-types.md | 1 + lib/perfdata/elasticsearchwriter.cpp | 12 ++++++++++++ lib/perfdata/elasticsearchwriter.ti | 3 +++ 3 files changed, 16 insertions(+) diff --git a/doc/09-object-types.md b/doc/09-object-types.md index b2c8417f2..746ed7c14 100644 --- a/doc/09-object-types.md +++ b/doc/09-object-types.md @@ -1232,6 +1232,7 @@ Configuration Attributes: username | String | **Optional.** Basic auth username if Elasticsearch is hidden behind an HTTP proxy. password | String | **Optional.** Basic auth password if Elasticsearch is hidden behind an HTTP proxy. enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. Requires an HTTP proxy. + insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification. ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`. cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`. key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`. diff --git a/lib/perfdata/elasticsearchwriter.cpp b/lib/perfdata/elasticsearchwriter.cpp index 9ab277f20..97f906535 100644 --- a/lib/perfdata/elasticsearchwriter.cpp +++ b/lib/perfdata/elasticsearchwriter.cpp @@ -622,6 +622,18 @@ OptionalTlsStream ElasticsearchWriter::Connect() << "TLS handshake with host '" << GetHost() << "' on port " << GetPort() << " failed."; throw; } + + if (!GetInsecureNoverify()) { + if (!tlsStream.GetPeerCertificate()) { + BOOST_THROW_EXCEPTION(std::runtime_error("Elasticsearch didn't present any TLS certificate.")); + } + + if (!tlsStream.IsVerifyOK()) { + BOOST_THROW_EXCEPTION(std::runtime_error( + "TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError()) + )); + } + } } return std::move(stream); diff --git a/lib/perfdata/elasticsearchwriter.ti b/lib/perfdata/elasticsearchwriter.ti index a072220de..e3b8e27f5 100644 --- a/lib/perfdata/elasticsearchwriter.ti +++ b/lib/perfdata/elasticsearchwriter.ti @@ -29,6 +29,9 @@ class ElasticsearchWriter : ConfigObject [config] bool enable_tls { default {{{ return false; }}} }; + [config] bool insecure_noverify { + default {{{ return false; }}} + }; [config] String ca_path; [config] String cert_path; [config] String key_path; From d7133ae4298d133a088b25c9a71ffeb1f8164a8d Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 12 Aug 2021 16:43:29 +0200 Subject: [PATCH 3/6] GelfWriter: actually verify TLS server certificates And add a new option insecure_noverify to explicitly disable it if desired. --- doc/09-object-types.md | 1 + lib/perfdata/gelfwriter.cpp | 12 ++++++++++++ lib/perfdata/gelfwriter.ti | 3 +++ 3 files changed, 16 insertions(+) diff --git a/doc/09-object-types.md b/doc/09-object-types.md index 746ed7c14..4208caee3 100644 --- a/doc/09-object-types.md +++ b/doc/09-object-types.md @@ -1320,6 +1320,7 @@ Configuration Attributes: enable\_send\_perfdata | Boolean | **Optional.** Enable performance data for 'CHECK RESULT' events. enable\_ha | Boolean | **Optional.** Enable the high availability functionality. Only valid in a [cluster setup](06-distributed-monitoring.md#distributed-monitoring-high-availability-features). Defaults to `false`. enable\_tls | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. + insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification. ca\_path | String | **Optional.** Path to CA certificate to validate the remote host. Requires `enable_tls` set to `true`. cert\_path | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. Requires `enable_tls` set to `true`. key\_path | String | **Optional.** Path to host key to accompany the cert\_path. Requires `enable_tls` set to `true`. diff --git a/lib/perfdata/gelfwriter.cpp b/lib/perfdata/gelfwriter.cpp index 1ac5aa7fb..81cf66299 100644 --- a/lib/perfdata/gelfwriter.cpp +++ b/lib/perfdata/gelfwriter.cpp @@ -197,6 +197,18 @@ void GelfWriter::ReconnectInternal() << "TLS handshake with host '" << GetHost() << " failed.'"; throw; } + + if (!GetInsecureNoverify()) { + if (!tlsStream.GetPeerCertificate()) { + BOOST_THROW_EXCEPTION(std::runtime_error("Graylog Gelf didn't present any TLS certificate.")); + } + + if (!tlsStream.IsVerifyOK()) { + BOOST_THROW_EXCEPTION(std::runtime_error( + "TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError()) + )); + } + } } SetConnected(true); diff --git a/lib/perfdata/gelfwriter.ti b/lib/perfdata/gelfwriter.ti index 2176fd877..387ee1487 100644 --- a/lib/perfdata/gelfwriter.ti +++ b/lib/perfdata/gelfwriter.ti @@ -34,6 +34,9 @@ class GelfWriter : ConfigObject [config] bool enable_tls { default {{{ return false; }}} }; + [config] bool insecure_noverify { + default {{{ return false; }}} + }; [config] String ca_path; [config] String cert_path; [config] String key_path; From 6db8795ca4b6a853f49615279f068d4cf2b42087 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Tue, 17 Aug 2021 16:19:51 +0200 Subject: [PATCH 4/6] InfluxdbWriter: actually verify TLS server certificates And add a new option ssl_insecure_noverify to explicitly disable it if desired. --- doc/09-object-types.md | 1 + lib/perfdata/influxdbwriter.cpp | 12 ++++++++++++ lib/perfdata/influxdbwriter.ti | 3 +++ 3 files changed, 16 insertions(+) diff --git a/doc/09-object-types.md b/doc/09-object-types.md index 4208caee3..bd2821234 100644 --- a/doc/09-object-types.md +++ b/doc/09-object-types.md @@ -1640,6 +1640,7 @@ Configuration Attributes: username | String | **Optional.** InfluxDB user name. Defaults to `none`. password | String | **Optional.** InfluxDB user password. Defaults to `none`. ssl\_enable | Boolean | **Optional.** Whether to use a TLS stream. Defaults to `false`. + ssl\_insecure\_noverify | Boolean | **Optional.** Disable TLS peer verification. ssl\_ca\_cert | String | **Optional.** Path to CA certificate to validate the remote host. ssl\_cert | String | **Optional.** Path to host certificate to present to the remote host for mutual verification. ssl\_key | String | **Optional.** Path to host key to accompany the ssl\_cert. diff --git a/lib/perfdata/influxdbwriter.cpp b/lib/perfdata/influxdbwriter.cpp index 508fcff64..bcd5ba0e4 100644 --- a/lib/perfdata/influxdbwriter.cpp +++ b/lib/perfdata/influxdbwriter.cpp @@ -211,6 +211,18 @@ OptionalTlsStream InfluxdbWriter::Connect() << "TLS handshake with host '" << GetHost() << "' failed."; throw; } + + if (!GetSslInsecureNoverify()) { + if (!tlsStream.GetPeerCertificate()) { + BOOST_THROW_EXCEPTION(std::runtime_error("InfluxDB didn't present any TLS certificate.")); + } + + if (!tlsStream.IsVerifyOK()) { + BOOST_THROW_EXCEPTION(std::runtime_error( + "TLS certificate validation failed: " + std::string(tlsStream.GetVerifyError()) + )); + } + } } return std::move(stream); diff --git a/lib/perfdata/influxdbwriter.ti b/lib/perfdata/influxdbwriter.ti index 377c911ba..52c3c6802 100644 --- a/lib/perfdata/influxdbwriter.ti +++ b/lib/perfdata/influxdbwriter.ti @@ -29,6 +29,9 @@ class InfluxdbWriter : ConfigObject [config] bool ssl_enable { default {{{ return false; }}} }; + [config] bool ssl_insecure_noverify { + default {{{ return false; }}} + }; [config] String ssl_ca_cert { default {{{ return ""; }}} }; From b7dd909a30367a4b8389e9362f05a856bbd7b081 Mon Sep 17 00:00:00 2001 From: Julian Brost Date: Thu, 12 Aug 2021 17:01:49 +0200 Subject: [PATCH 5/6] GelfWriter: show error message of exceptions --- lib/perfdata/gelfwriter.cpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/perfdata/gelfwriter.cpp b/lib/perfdata/gelfwriter.cpp index 81cf66299..7253b0e4a 100644 --- a/lib/perfdata/gelfwriter.cpp +++ b/lib/perfdata/gelfwriter.cpp @@ -126,10 +126,8 @@ void GelfWriter::AssertOnWorkQueue() void GelfWriter::ExceptionHandler(boost::exception_ptr exp) { - Log(LogCritical, "GelfWriter", "Exception during Graylog Gelf operation: Verify that your backend is operational!"); - - Log(LogDebug, "GelfWriter") - << "Exception during Graylog Gelf operation: " << DiagnosticInformation(std::move(exp)); + Log(LogCritical, "GelfWriter") << "Exception during Graylog Gelf operation: " << DiagnosticInformation(exp, false); + Log(LogDebug, "GelfWriter") << "Exception during Graylog Gelf operation: " << DiagnosticInformation(exp, true); DisconnectInternal(); } From 88ed37454b7d8290d0f309784a166ab0d3c23326 Mon Sep 17 00:00:00 2001 From: Noah Hilverling Date: Wed, 18 Aug 2021 17:26:46 +0200 Subject: [PATCH 6/6] Add 2.12.6 changelog and bump VERSION --- CHANGELOG.md | 13 +++++++++++++ VERSION | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index abaa1cb35..6a7d306b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,19 @@ documentation before upgrading to a new release. Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga2/milestones?state=closed). +# 2.12.6 (2021-08-19) + +The main focus of these versions is a security vulnerability in the TLS certificate verification of our metrics writers ElasticsearchWriter, GelfWriter and InfluxdbWriter. + +### Security + +* Add TLS server certificate validation to ElasticsearchWriter, GelfWriter and InfluxdbWriter + +Depending on your setup, manual intervention beyond installing the new versions +may be required, so please read the more detailed information in the +[release blog post](https://icinga.com/blog/2021/08/19/icinga-2-13-1-security-release//) +carefully + ## 2.12.5 (2021-07-15) Version 2.12.5 fixes two security vulnerabilities that may lead to privilege diff --git a/VERSION b/VERSION index b961d2f9f..0a8d614e7 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -Version: 2.12.5 +Version: 2.12.6 Revision: 1