ID: 13324
Title: Shipping software bill of materials with Checkmk
Component: Site Management
Level: 1
Class: Security fix
Version: 2.1.0i1
A software bill of materials can be used to analyze the components that are
part of Checkmk. An accurate inventory of all components enables organizations
to identify risk, allows for greater transparency, and enables rapid impact
analysis.
Checkmk packages are now shipping a BOM in OWASP CycloneDX format. As of
Checkmk 2.1.0 and 2.0.0p18 it can be found in each site at the path
<tt>share/doc/bill-of-materials.json</tt>.
ID: 13322
Title: Limit executable php scripts to NagVis files
Component: Site Management
Level: 1
Class: Security fix
Version: 2.1.0i1
Previously the web server was able to execute <tt>.php</tt> files from all
locations that are callable by the user. With this change, we now limit the
execution of php files to the paths we need in the default installation for
NagVis.
Please note: In case you intentionally installed php files in your site to
access them through the site web server, you may now need to extend your sites
web server configuration to make it work again as before.
For example, if you installed one file to <tt>var/www/my_script.php</tt>, you
can make it usable again with the following configuration
<tt>etc/apache/conf.d/my_script.conf</tt>:
C+:
<Location "/[site_id]/my_script.php">
Options +ExecCGI
</Location>
C-:
ID: 13321
Title: NagVis: Updated to 1.9.29 (Fix possible deletion of arbitrary files)
Component: Other Components
Level: 1
Class: Security fix
Version: 2.1.0i1
Fix possible deletion of arbitrary files (CVE-2021-33178).
An authenticated user with enough permissions to access the NagVis.
ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the
server limited by the rights of the Apache system user. In Checkmk, this is
limited to files owned by the site user.
CVSS 3.1 base score: 4.5 (medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/…https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33178