Checkmk werks security December 2021

checkmk-werks-sec@lists.checkmk.com

1 participants
3 discussions

Checkmk Werk 13324: Shipping software bill of materials with Checkmk

by Lars Michelsen

ID: 13324 Title: Shipping software bill of materials with Checkmk Component: Site Management Level: 1 Class: Security fix Version: 2.1.0i1 A software bill of materials can be used to analyze the components that are part of Checkmk. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis. Checkmk packages are now shipping a BOM in OWASP CycloneDX format. As of Checkmk 2.1.0 and 2.0.0p18 it can be found in each site at the path <tt>share/doc/bill-of-materials.json</tt>.

2 years, 5 months

Checkmk Werk 13322: Limit executable php scripts to NagVis files

by Lars Michelsen

ID: 13322 Title: Limit executable php scripts to NagVis files Component: Site Management Level: 1 Class: Security fix Version: 2.1.0i1 Previously the web server was able to execute <tt>.php</tt> files from all locations that are callable by the user. With this change, we now limit the execution of php files to the paths we need in the default installation for NagVis. Please note: In case you intentionally installed php files in your site to access them through the site web server, you may now need to extend your sites web server configuration to make it work again as before. For example, if you installed one file to <tt>var/www/my_script.php</tt>, you can make it usable again with the following configuration <tt>etc/apache/conf.d/my_script.conf</tt>: C+: <Location "/[site_id]/my_script.php"> Options +ExecCGI </Location> C-:

2 years, 5 months

Checkmk Werk 13321: NagVis: Updated to 1.9.29 (Fix possible deletion of arbitrary files)

by Lars Michelsen

ID: 13321 Title: NagVis: Updated to 1.9.29 (Fix possible deletion of arbitrary files) Component: Other Components Level: 1 Class: Security fix Version: 2.1.0i1 Fix possible deletion of arbitrary files (CVE-2021-33178). An authenticated user with enough permissions to access the NagVis. ManageBackgrounds endpoint, such as admin, can delete arbitrary files on the server limited by the rights of the Apache system user. In Checkmk, this is limited to files owned by the site user. CVSS 3.1 base score: 4.5 (medium) CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/… https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33178

2 years, 5 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Checkmk werks security December 2021