You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Certificate renewal might incorrectly renew an invalid certificate
Critical
yhabteab
published
GHSA-7vcf-f5v9-3wr6May 27, 2025
Package
Icinga 2
Affected versions
≤ 2.14.5
Patched versions
2.14.6, 2.13.12, 2.12.12
Description
Impact
Note
If Icinga 2 is built with OpenSSL 1.1.0 (released in 2016) or later, it is NOT affected by this issue.
This can be checked by running icinga2 --version | grep OpenSSL.
The VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes.
For this to be exploited, a direct TLS connection to a master capable of signing certificates is required. The bug can also be triggered on other nodes. On these, it only results in an incorrect "Received certificate request for CN '[...]' signed by our CA." log message before forwarding the request. That forwarded request is then handled correctly by the master and doesn't trigger the issue.
This only happens with OpenSSL older than version 1.1.0 as it stored a valid flag in the certificate that causes some steps of the verification operation to be skipped. In case this flag is set from a previous operation, this can lead to an incorrect result. The flag in question was removed in OpenSSL 1.1.0, so if Icinga 2 is built with that or a later version, the certificate is always verified completely and the problem doesn't occur.
Note that for example RHEL 7 and derivatives like Amazon Linux 2 ship OpenSSL 1.0.2, hence Icinga 2 is vulnerable on these platforms.
Patches
The problem has been fixed in the following versions:
Users are advised to upgrade Icinga 2 to a fixed version on masters running with OpenSSL 1.0.2 or older immediately.
The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com.
Workarounds
For this to be exploited, a direct TLS connection to a master capable of signing certificates is required, giving two options for a workaround:
Restrict network access to the masters to only trusted entities.
Stop the master from signing any new certificates. This can be achieved by renaming the /var/lib/icinga2/ca directory. Note that this will prevent you from setting up new nodes as well as prevent existing nodes from renewing their certificates. Certificates are renewed around 30 days before their expiry date, so that's only a short-term solution as certificates will eventually expire otherwise.
Impact
Note
If Icinga 2 is built with OpenSSL 1.1.0 (released in 2016) or later, it is NOT affected by this issue.
This can be checked by running
icinga2 --version | grep OpenSSL.The
VerifyCertificate()function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes.For this to be exploited, a direct TLS connection to a master capable of signing certificates is required. The bug can also be triggered on other nodes. On these, it only results in an incorrect "Received certificate request for CN '[...]' signed by our CA." log message before forwarding the request. That forwarded request is then handled correctly by the master and doesn't trigger the issue.
This only happens with OpenSSL older than version 1.1.0 as it stored a valid flag in the certificate that causes some steps of the verification operation to be skipped. In case this flag is set from a previous operation, this can lead to an incorrect result. The flag in question was removed in OpenSSL 1.1.0, so if Icinga 2 is built with that or a later version, the certificate is always verified completely and the problem doesn't occur.
Note that for example RHEL 7 and derivatives like Amazon Linux 2 ship OpenSSL 1.0.2, hence Icinga 2 is vulnerable on these platforms.
Patches
The problem has been fixed in the following versions:
Users are advised to upgrade Icinga 2 to a fixed version on masters running with OpenSSL 1.0.2 or older immediately.
The source code for the new versions can be found in our Git repository. Updated binary packages are available on packages.icinga.com.
Workarounds
For this to be exploited, a direct TLS connection to a master capable of signing certificates is required, giving two options for a workaround:
/var/lib/icinga2/cadirectory. Note that this will prevent you from setting up new nodes as well as prevent existing nodes from renewing their certificates. Certificates are renewed around 30 days before their expiry date, so that's only a short-term solution as certificates will eventually expire otherwise.References