ID: 15687
Title: Update openssl to 1.1.1t
Component: Core & setup
Level: 1
Class: Security fix
Version: 2.3.0b1
With this Werk openssl is updated from 1.1.1q to 1.1.1t.
This fixes several CVEs:
LI: CVE-2023-0215
LI: CVE-2023-0286
LI: CVE-2023-0464
LI: CVE-2023-0465
LI: CVE-2023-0466
LI: CVE-2022-4304
LI: CVE-2022-4450
To our knowledge none of these vulnerabilities is exploitable in Checkmk.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.
Dear Checkmk users,
this mailinglist will now be migrated to a new server on lists.checkmk.com.
Let's say farewell to the last mathias-kettner.de server.
--
Alexander Wilms
Head of IT
Checkmk - The IT monitoring platform | checkmk.com <https://www.checkmk.com>
alex.wilms(a)checkmk.com | Phone: +49 89 9982097 0
Subscribe to our newsletter <https://go.checkmk.com/newsletter>! | Melden
Sie sich bei unserem Newsletter <https://go.checkmk.com/de/newsletter> an!
Checkmk GmbH
Kellerstraße 27, 81667 München, Germany
Amtsgericht München, HRB 165902
Geschäftsführer: Jan Justus, Mathias Kettner
ID: 13982
Title: Reading host_config's will now honour contact groups
Component: REST API
Level: 1
Class: Security fix
Version: 2.3.0b1
Prior to this Werk it was possible for a user to read a hosts configuration
(using GET on '/objects/host_config/<host_name>') even if that user was not
in the contact group of that host.
The REST-API will correctly check a users permissions before serving a response
in that case and report a 403 error if the user cannot access the host's config.
<b>Affected Versions</b>:
LI: 2.2.0 (beta)
LI: 2.1.0
<b>Vulnerability Management</b>:
We calculated a CVSS 3.1 score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
We assigned CVE-2023-22348 to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.