CVE-2021-37698: 
Icinga vulnerability analysis and mitigation

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. A vulnerability (CVE-2021-37698) was identified in versions 2.5.0 through 2.13.0, where ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer components failed to verify the server's certificate despite a certificate authority being specified (GitHub Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is categorized under CWE-295 (Improper Certificate Validation). The vulnerability specifically affects the TLS certificate verification mechanism in the metrics writers components, where server certificates were not being validated even when a certificate authority was specified (NVD).

The vulnerability could allow attackers to perform man-in-the-middle attacks on TLS connections between Icinga 2 and the affected time series databases (TSDBs). This could potentially lead to unauthorized access to sensitive information transmitted between these components (GitHub Advisory).

The vulnerability has been patched in versions 2.13.1, 2.12.6, and 2.11.11. Organizations are strongly advised to upgrade to these versions immediately. Additionally, it is recommended to change any credentials used by the TSDB writer feature to authenticate against the TSDB. There are no workarounds available aside from upgrading (GitHub Advisory).