Werk 16234 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.1.0p41
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
------------------------------------<diff>-------------------------------------------
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^ -
+ Version: 2.1.0p41
? ^ +
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
+ 2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_informix: Do not allow privilege escalation
Class: security
Compatible: compat
Component: checks
Date: 1709909870
Edition: cre
Level: 1
Version: 2.1.0p41
The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well.
By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root.
Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges.
With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>.
The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.2.0p24
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.1.0p41
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
Werk 16362 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Update Python version for Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1709283564
Edition: cee
Level: 1
Version: 2.2.0p25
When agent plugins are configured for a windows agent the baked package for windows contains a Python version.
This version is updated from 3.11.7 to 3.11.8.
This contains an update from openssl 3.0.11 to 3.0.13 and a fix for:
* CVE-2024-0727
* CVE-2023-6237
* CVE-2023-6129
* CVE-2023-5678
* CVE-2023-5363
To our knowledge none of these vulnerabilities were exploitable in this setup.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.
------------------------------------<diff>-------------------------------------------
Title: Update Python version for Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1709283564
Edition: cee
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
When agent plugins are configured for a windows agent the baked package for windows contains a Python version.
This version is updated from 3.11.7 to 3.11.8.
This contains an update from openssl 3.0.11 to 3.0.13 and a fix for:
* CVE-2024-0727
* CVE-2023-6237
* CVE-2023-6129
* CVE-2023-5678
* CVE-2023-5363
To our knowledge none of these vulnerabilities were exploitable in this setup.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.
Title: mk_informix: Do not allow privilege escalation
Class: security
Compatible: compat
Component: checks
Date: 1709909870
Edition: cre
Level: 1
Version: 2.2.0p24
The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well.
By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root.
Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges.
With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>.
The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.2.0p24
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.2.0p24
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
[//]: # (werk v2)
# Hide credentials in ps output for mk_oracle
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-02-20T18:39:35+00:00
level | 1
class | security
component | checks
edition | cre
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
[//]: # (werk v2)
# mk_oracle(ps1): Prevent privilege esclation to root
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-01-17T08:20:43+00:00
level | 3
class | security
component | checks
edition | cre
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
* 2.3.0 (beta)
* 2.2.0
* 2.1.0
* 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.