CVE-2021-32743 – Icinga 2 monitoring system exposes sensitive cr... (How to Fix)

Q: What is the severity of CVE-2021-32743?

CVE-2021-32743 has a CVSS score of 8.8 (HIGH). Icinga 2 monitoring system exposes sensitive credentials (database, Redis, Elasticsearch passwords) through its API to authenticated users with read permissions. This allows attackers who obtain API access to impersonate Icinga and potentially modify or delete monitoring data. Affects Icinga 2 versions before 2.11.10 and 2.12.0 through 2.12.4.

📋 TL;DR

Icinga 2 monitoring system exposes sensitive credentials (database, Redis, Elasticsearch passwords) through its API to authenticated users with read permissions. This allows attackers who obtain API access to impersonate Icinga and potentially modify or delete monitoring data. Affects Icinga 2 versions before 2.11.10 and 2.12.0 through 2.12.4.

💻 Affected Systems

Products:

Icinga 2

Versions: All versions before 2.11.10, and versions 2.12.0 through 2.12.4

Operating Systems: All platforms running Icinga 2

Default Config Vulnerable: ⚠️ Yes

Notes: Affects IdoMysqlConnection, IdoPgsqlConnection (all versions), IcingaDB (2.12.0+), and ElasticsearchWriter (2.8.0+) features when configured with credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full control over Icinga's backend databases (MySQL/PostgreSQL), Redis cache, and Elasticsearch monitoring data, allowing data destruction, service disruption, and lateral movement to other systems using those credentials.

🟠

Likely Case

Attacker with API access extracts credentials and modifies monitoring data, causing false alerts, hiding real issues, or disrupting monitoring operations.

🟢

If Mitigated

With proper API access controls and network segmentation, impact limited to credential exposure without ability to reach backend services.

🌐 Internet-Facing: HIGH if Icinga API is exposed to internet with vulnerable versions, as attackers can exploit exposed credentials.

🏢 Internal Only: MEDIUM as it requires authenticated API access, but internal attackers or compromised accounts could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated API access with read permissions for affected object types. Simple API queries can extract credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.10 or 2.12.5 and later

Vendor Advisory: https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7

Restart Required: Yes

Instructions:

1. Backup Icinga configuration and data. 2. Upgrade to Icinga 2.11.10+ or 2.12.5+ using package manager (apt/yum) or from source. 3. Restart Icinga 2 service: systemctl restart icinga2. 4. Verify API no longer exposes credentials.

🔧 Temporary Workarounds

Restrict API User Permissions

all

Limit API user permissions to prevent querying affected object types (IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, ElasticsearchWriter).

# Edit API user configuration in /etc/icinga2/conf.d/api-users.conf
# Add filter rules or explicitly list allowed object types
# Example: object_filter = "host.name == \"specific-host\""

🧯 If You Can't Patch

Implement strict network segmentation to isolate Icinga API from backend services (databases, Redis, Elasticsearch).
Rotate all exposed credentials (database, Redis, Elasticsearch passwords) immediately and monitor for unauthorized access.

🔍 How to Verify

Check if Vulnerable:

Check Icinga version: icinga2 --version. If version is <2.11.10 or between 2.12.0-2.12.4, system is vulnerable. Also verify if API users have read permissions for affected object types.

Check Version:

icinga2 --version | grep 'version'

Verify Fix Applied:

After patching, attempt to query credentials via API (e.g., using curl to query IdoMysqlConnection objects) and confirm passwords are not returned.

📡 Detection & Monitoring

Log Indicators:

Unusual API queries for IdoMysqlConnection, IdoPgsqlConnection, IcingaDB, or ElasticsearchWriter objects
Failed authentication attempts to backend services using Icinga credentials

Network Indicators:

Unexpected connections from Icinga server IPs to database/Redis/Elasticsearch ports
API traffic patterns showing credential extraction attempts

SIEM Query:

source="icinga2.log" AND ("IdoMysqlConnection" OR "IdoPgsqlConnection" OR "IcingaDB" OR "ElasticsearchWriter") AND "query"

📊 Metadata

CVE ID: CVE-2021-32743

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-202

Published: July 15, 2021

Last Updated: November 3, 2025

🔗 References

https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 Exploit,Third Party Advisory
https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html Mailing List,Third Party Advisory
https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7 Exploit,Third Party Advisory
https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/ Exploit,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32743, you might also want to check these: