Module: check_mk
Branch: master
Commit: 0fe2a45b299a8f5c5da332410eec2c45aac2ba1e
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0fe2a45b299a8f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 16:01:20 2014 +0200
Fix code injection for logged in users via automation url
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
Conflicts:
web/plugins/config/wato.py
---
.werks/984 | 28 ++++++++++++++++++++++++++++
ChangeLog | 2 ++
web/htdocs/wato.py | 14 ++++++++++++--
web/plugins/config/wato.py | 1 +
web/plugins/wato/check_mk_configuration.py | 14 ++++++++++++++
5 files changed, 57 insertions(+), 2 deletions(-)
diff --git a/.werks/984 b/.werks/984
new file mode 100644
index 0000000..2af5ca2
--- /dev/null
+++ b/.werks/984
@@ -0,0 +1,28 @@
+Title: Fix code injection for logged in users via automation url
+Level: 2
+Component: wato
+Class: incomp
+State: unknown
+Version: 1.2.5i4
+Date: 1401195677
+
+This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
+
+<i>The check_mk applications uses insecure API calls, which allow an attacker
+to execute arbitrary code on the server by issuing just a single URL. The
+reason for this is the usage of the insecure "pickle" API call. Apparently
+this was modified as a security means from a former version, which used
+"eval"-like structures with untrusted input data. Anyhow, as the python API
+documentation clearly state, "pickle" should be considered unsafe as well,
+see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
+
+The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
+this module is not available on Centos/RedHat 5.X and Debian 5. On these
+systems WATO still uses <tt>pickle</tt>, even with this fix.
+
+<b>Note:</b> This change makes the current Check_MK versions incompatible
+to older versions. In a mixed environment with old and new Check_MK versions or with old
+and newer Python versions you have to force WATO to use the old
+unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
+This can also be done with the new global WATO setting <i>Use unsafe legacy
+encoding for distributed WATO</i>.
diff --git a/ChangeLog b/ChangeLog
index 57219a8..4facaf0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,8 @@
* 0822 FIX: Sorting columns in view dashlets is now working again
WATO:
+ * 0984 Fix code injection for logged in users via automation url...
+ NOTE: Please refer to the migration notes!
* 0987 New button for updating DNS cache...
* 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs...
* 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions...
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index edf2644..972ea68 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -16964,12 +16964,22 @@ def validate_all_hosts(hostnames, force_all = False):
# '----------------------------------------------------------------------'
import base64
+try:
+ import ast
+except:
+ ast = None
def mk_eval(s):
- return pickle.loads(base64.b64decode(s))
+ if ast and not config.wato_legacy_eval:
+ return ast.literal_eval(base64.b64decode(s))
+ else:
+ return pickle.loads(base64.b64decode(s))
def mk_repr(s):
- return base64.b64encode(pickle.dumps(s))
+ if ast and not config.wato_legacy_eval:
+ return base64.b64encode(repr(s))
+ else:
+ return base64.b64encode(pickle.dumps(s))
# Returns true when at least one folder is defined in WATO
def have_folders():
diff --git a/web/plugins/config/wato.py b/web/plugins/config/wato.py
index 590a145..844ed8b 100644
--- a/web/plugins/config/wato.py
+++ b/web/plugins/config/wato.py
@@ -40,6 +40,7 @@ wato_write_nagvis_auth = False
wato_use_git = False
wato_hidden_users = []
wato_user_attrs = []
+wato_legacy_eval = False
def tag_alias(tag):
for entry in wato_host_tags:
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index dd48836..4a0aaac 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -483,6 +483,20 @@ register_configvar(group,
domain = "multisite"
)
+register_configvar(group,
+ "wato_legacy_eval",
+ Checkbox(
+ title = _("Use unsafe legacy encoding for distributed WATO"),
+ help = _("The current implementation of WATO uses a Python module called <tt>ast</tt> for the "
+ "communication between sites. Previous versions of Check_MK used an insecure encoding "
+ "named <tt>pickle</tt>. Even in the current version WATO falls back to <tt>pickle</tt> "
+ "if your Python version is not recent enough. This is at least the case for RedHat/CentOS 5.X "
+ "and Debian 5.0. In a mixed environment you can force using the legacy <tt>pickle</tt> format "
+ "in order to create compatibility."),
+ ),
+ domain = "multisite"
+)
+
register_configvar(group,
"wato_hide_filenames",
Module: check_mk
Branch: master
Commit: 076468b10e660abdeaaaa6c459a4aa3ce8e07722
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=076468b10e660a…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue May 27 11:46:07 2014 +0200
FIX Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
---
.werks/982 | 20 ++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/actions.py | 2 +-
web/htdocs/htmllib.py | 2 +-
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/.werks/982 b/.werks/982
new file mode 100644
index 0000000..0ff464c
--- /dev/null
+++ b/.werks/982
@@ -0,0 +1,20 @@
+Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
+Level: 2
+Component: multisite
+Class: security
+State: unknown
+Version: 1.2.5i4
+Date: 1401183811
+
+This fixes the following issue:
+
+The check_mk application is susceptible to reflected XSS attacks. This is
+mainly the result of inproper output encoding. Reflected XSS can be triggered
+by sending a malicious URL to a user of the check_mk application. Once the
+XSS attack is triggered, the attacker has access to the full check_mk (and
+nagios) application with the access rights of the logged in victim.
+
+The fix applies to the function:
+
+htmllib.py: render_status_icons()
+actions.py: ajax_action()
diff --git a/ChangeLog b/ChangeLog
index 4ddd575..7b578f3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@
* 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)...
Multisite:
+ * 0982 SEC: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C...
* 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN...
* 0166 FIX: mobile gui: Fixed colors of command list...
* 0820 FIX: Fixed wrong NagVis links in "custom links" snapin
diff --git a/web/htdocs/actions.py b/web/htdocs/actions.py
index 20e9ebd..05e894e 100644
--- a/web/htdocs/actions.py
+++ b/web/htdocs/actions.py
@@ -34,7 +34,7 @@ def ajax_action():
if action == "reschedule":
action_reschedule()
else:
- raise MKGeneralException("Invalid action '%s'" % action)
+ raise MKGeneralException("Invalid action.")
except Exception, e:
html.write("['ERROR', %r]\n" % str(e))
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index eceb14b..afde184 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -244,7 +244,7 @@ class html:
vars = [ i for i in vars if not i[0].startswith(remove_prefix) ]
vars = vars + addvars
if filename == None:
- filename = self.myfile + ".py"
+ filename = self.urlencode(self.myfile) + ".py"
if vars:
return filename + "?" + self.urlencode_vars(vars)
else:
Module: check_mk
Branch: master
Commit: f5415dab2097902aa92180ca4434b4f32318d67d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f5415dab209790…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 08:43:42 2014 +0200
SEC Valuespecs: Fixed several possible HTML injections in valuespecs
Several HTML injections in valuespecs of different types (mostly used in WATO)
were missing good escaping of values. This has been added to prevent HTML
code injections which could be used for XSS attacks. This only affects WATO
and logged in users which are permitted to use WATO and open the page
(e.g. the list of rules) which displays the values.
---
.werks/824 | 12 ++++++++++++
ChangeLog | 1 +
web/htdocs/valuespec.py | 8 ++++----
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/.werks/824 b/.werks/824
new file mode 100644
index 0000000..629d2e1
--- /dev/null
+++ b/.werks/824
@@ -0,0 +1,12 @@
+Title: Valuespecs: Fixed several possible HTML injections in valuespecs
+Level: 1
+Component: wato
+Version: 1.2.5i4
+Date: 1403505656
+Class: security
+
+Several HTML injections in valuespecs of different types (mostly used in WATO)
+were missing good escaping of values. This has been added to prevent HTML
+code injections which could be used for XSS attacks. This only affects WATO
+and logged in users which are permitted to use WATO and open the page
+(e.g. the list of rules) which displays the values.
diff --git a/ChangeLog b/ChangeLog
index 7492526..4ddd575 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
WATO:
* 0987 New button for updating DNS cache...
+ * 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs...
* 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions...
* 0935 FIX: CPU utilization: increased maximum value to 10000...
* 0821 FIX: Reducing size of auth.php (needed for authorisation in NagVis) in large environments...
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 477ed21..31afeab 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -464,7 +464,7 @@ class EmailAddress(TextAscii):
if not value:
return TextAscii.value_to_text(self, value)
elif self._make_clickable:
- return '<a href="mailto:%s">%s</a>' % (value, value)
+ return '<a href="mailto:%s">%s</a>' % (html.attrencode(value), html.attrencode(value))
else:
return value
@@ -566,7 +566,7 @@ class HTTPUrl(TextAscii):
# any path component
return '<a %shref="%s">%s</a>' % (
(self._target and 'target="%s" ' % self._target or ""),
- url, text)
+ html.attrencode(url), html.attrencode(text))
class TextAreaUnicode(TextUnicode):
def __init__(self, **kwargs):
@@ -1031,7 +1031,7 @@ class DropdownChoice(ValueSpec):
return title.split(self._help_separator, 1)[0].strip()
else:
return title
- return _("(other: %s)" % value)
+ return _("(other: %s)" % html.attrencode(value))
def from_html_vars(self, varprefix):
sel = html.var(varprefix)
@@ -2224,7 +2224,7 @@ class Alternative(ValueSpec):
output = "%s<br>" % vs.title()
return output + vs.value_to_text(value)
else:
- return _("invalid:") + " " + str(value)
+ return _("invalid:") + " " + html.attrencode(str(value))
def from_html_vars(self, varprefix):
nr = int(html.var(varprefix + "_use"))
Module: check_mk
Branch: master
Commit: 542ad68c24edb8018c49ea42b15d98fa14518e77
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=542ad68c24edb8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 08:01:38 2014 +0200
FIX mk_sap: Fixed some wrong calculated values (decimal numbers)
The values provided by SAP seem to be integers with a second value
which can be used to tell the asking program the number of decimals.
e.g. when this value states 2, a load value of 901 is converted to
9.01. This value has not been used in the past which lead to odd
check results.
---
.werks/823 | 12 ++++++++++++
ChangeLog | 1 +
2 files changed, 13 insertions(+)
diff --git a/.werks/823 b/.werks/823
new file mode 100644
index 0000000..d703fb8
--- /dev/null
+++ b/.werks/823
@@ -0,0 +1,12 @@
+Title: mk_sap: Fixed some wrong calculated values (decimal numbers)
+Level: 1
+Component: checks
+Version: 1.2.5i4
+Date: 1403503150
+Class: fix
+
+The values provided by SAP seem to be integers with a second value
+which can be used to tell the asking program the number of decimals.
+e.g. when this value states 2, a load value of 901 is converted to
+9.01. This value has not been used in the past which lead to odd
+check results.
diff --git a/ChangeLog b/ChangeLog
index c0fcce9..d7cf952 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,7 @@
* 0819 FIX: Fixed keepalive termination in case of exceptions during checking...
* 0622 FIX: cisco_temp_sensor: fix to also work with newer IOS versions
* 0623 FIX: fsc_fans: upper levels for fan RPMs are now optional also for the check
+ * 0823 FIX: mk_sap: Fixed some wrong calculated values (decimal numbers)...
Multisite:
* 0934 FIX: Logwatch messages with class unknown ( 'u' ) now displayed as WARN...
Module: check_mk
Branch: master
Commit: 4a50902ce933c6436732acab982d944abdfaeca6
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4a50902ce933c6…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Sat Jun 21 17:26:45 2014 +0200
ibm_svc_enclosure: support new firmware, also check fan modules
---
.werks/1003 | 8 ++++++++
ChangeLog | 1 +
checkman/ibm_svc_enclosure | 7 ++++---
checks/ibm_svc_enclosure | 45 +++++++++++++++++++++++++++++++-------------
4 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/.werks/1003 b/.werks/1003
new file mode 100644
index 0000000..6692635
--- /dev/null
+++ b/.werks/1003
@@ -0,0 +1,8 @@
+Title: ibm_svc_enclosure: support new firmware, also check fan modules
+Level: 1
+Component: checks
+Version: 1.2.5i4
+Date: 1403364378
+Class: feature
+
+
diff --git a/ChangeLog b/ChangeLog
index 3f83ad6..a9af5d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,7 @@
* 0618 adva_fsp_current: new check for the power supply units of the ADVA FSP 3000 scalable optical transport solution
* 0619 adva_fsp_temp: new check to monitor temperature and temperature trends on ADVA scalable optical transport solutions
* 0993 raritan_pdu_inlet: now delivers performance data
+ * 1003 ibm_svc_enclosure: support new firmware, also check fan modules
* 0616 FIX: brocade.fan, brocade.power, brocade.temp: will now only discover services which are not marked as absent
* 0992 FIX: zfs_arc_cache: returns OK even if values of arc meta are missing...
* 0936 FIX: agent_ibmsvc: improved error messages on using wrong credentials
diff --git a/checkman/ibm_svc_enclosure b/checkman/ibm_svc_enclosure
index 3314256..bdaef01 100644
--- a/checkman/ibm_svc_enclosure
+++ b/checkman/ibm_svc_enclosure
@@ -8,11 +8,12 @@ description:
V7000 device.
Returns {OK} if the Enclousure report status {online} and all Canisters and PSUs
- are online and {CRIT} otherwise.
+ are online and {CRIT} otherwise. If the firmware supports it then also fan modules
+ are being checked.
- Please note: You need the Special Agent agent_ibmsvc to retrieve the monitoring
+ Please note: You need the special agent {agent_ibmsvc} for retrieving the monitoring
data from the device. Your monitoring user must be able to SSH to the device
- with SSH Key Authentification. Please exchange SSH key. The Special Agent itself
+ with SSH Key Authentification. Please exchange SSH key. The special agent itself
can be configured by WATO.
item:
diff --git a/checks/ibm_svc_enclosure b/checks/ibm_svc_enclosure
index 2d3907e..9df794a 100644
--- a/checks/ibm_svc_enclosure
+++ b/checks/ibm_svc_enclosure
@@ -31,19 +31,32 @@
# 3:online:expansion:yes:0:io_grp0:2072-24E:7804326:2:2:2:2:24
# 4:online:expansion:yes:0:io_grp0:2072-24E:7804352:2:2:2:2:24
+# After a firmware upgrade the output looked like this:
+# 1:online:control:yes:0:io_grp0:2072-24C:7804037:2:2:2:2:24:0:0
+# 2:online:expansion:yes:0:io_grp0:2072-24E:7804306:2:2:2:2:24:0:0
+# 3:online:expansion:yes:0:io_grp0:2072-24E:7804326:2:2:2:2:24:0:0
+# 4:online:expansion:yes:0:io_grp0:2072-24E:7804352:2:2:2:2:24:0:0
+
+# The names of the columns are:
+# id:status:type:managed:IO_group_id:IO_group_name:product_MTM:serial_number:total_canisters:online_canisters:total_PSUs:online_PSUs:drive_slots:total_fan_modules:online_fan_modules
+
+
def inventory_ibm_svc_enclosure(info):
inventory = []
- for enclosure_id, enclosure_status, enclosure_type, managed, IO_group_id, \
- IO_group_name, product_MTM, serial_number, total_canisters, online_canisters, \
- total_PSUs, online_PSUs, drive_slots in info:
+ for line in info:
+ enclosure_id = line[0]
inventory.append( (enclosure_id, None) )
return inventory
def check_ibm_svc_enclosure(item, _no_params, info):
- for enclosure_id, enclosure_status, enclosure_type, managed, IO_group_id, \
- IO_group_name, product_MTM, serial_number, total_canisters, online_canisters, \
- total_PSUs, online_PSUs, drive_slots in info:
- if enclosure_id == item:
+ for line in info:
+ if line[0] == item:
+ if len(line) < 15: # old format
+ line = line + ["0", "0"] # do not modify line!
+
+ enclosure_id, enclosure_status, enclosure_type, managed, IO_group_id, \
+ IO_group_name, product_MTM, serial_number, total_canisters, online_canisters, \
+ total_PSUs, online_PSUs, drive_slots, total_fan_modules, online_fan_modules = line
# Check status
message = "Enclosure %s is %s" % (enclosure_id, enclosure_status)
@@ -55,19 +68,25 @@ def check_ibm_svc_enclosure(item, _no_params, info):
# Check canisters
if online_canisters == total_canisters:
- status = max(0, status)
message += ", all %s canisters are online" % total_canisters
else:
- status = max(2, status)
- message += ", %s(!!) of %s canisters are online" % (online_canisters, total_canisters)
+ status = 2
+ message += ", only %s of %s canisters are online(!!)" % (online_canisters, total_canisters)
# Check PSUs
if online_PSUs == total_PSUs:
- status = max(0, status)
message += ", all %s PSUs are online" % total_PSUs
else:
- status = max(2, status)
- message += ", %s(!!) of %s PSUs are online" % (online_PSUs, total_PSUs)
+ status = 2
+ message += ", only %s of %s PSUs are online(!!)" % (online_PSUs, total_PSUs)
+
+ # Check FANs (only new firmware)
+ if online_fan_modules == total_fan_modules:
+ if total_fan_modules != "0":
+ message += ", all %s fan modules are online" % total_fan_modules
+ else:
+ status = 2
+ message += ", only %s of %s fan modules are online(!!)" % (online_fan_modules, total_fan_modules)
return status, message
Module: check_mk
Branch: master
Commit: 8981c1597ea087e9cb8082ac84016e7d44316463
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8981c1597ea087…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Fri Jun 20 15:51:24 2014 +0200
FIX Fix crash when debugging notifications with non-Ascii characters
When full notification debugging was enabled then notifications with
a non-Ascii character would raise an exception and not be sent.
---
.werks/1002 | 9 +++++++++
ChangeLog | 3 +++
modules/notify.py | 4 +++-
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/.werks/1002 b/.werks/1002
new file mode 100644
index 0000000..e77ad04
--- /dev/null
+++ b/.werks/1002
@@ -0,0 +1,9 @@
+Title: Fix crash when debugging notifications with non-Ascii characters
+Level: 2
+Component: notifications
+Version: 1.2.5i4
+Date: 1403272237
+Class: fix
+
+When full notification debugging was enabled then notifications with
+a non-Ascii character would raise an exception and not be sent.
diff --git a/ChangeLog b/ChangeLog
index c0fcce9..3f83ad6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,9 @@
* 0935 FIX: CPU utilization: increased maximum value to 10000...
* 0821 FIX: Reducing size of auth.php (needed for authorisation in NagVis) in large environments...
+ Notifications:
+ * 1002 FIX: Fix crash when debugging notifications with non-Ascii characters...
+
Reporting & Availability:
* 0985 Availability: display phases of freqent state changes as "chaos"...
diff --git a/modules/notify.py b/modules/notify.py
index 53fe4df..d29808a 100644
--- a/modules/notify.py
+++ b/modules/notify.py
@@ -205,8 +205,10 @@ def notify_notify(raw_context, analyse=False):
# Add some further variable for the conveniance of the plugins
if notification_logging >= 2:
+ encoded_context = dict(raw_context.items())
+ convert_context_to_unicode(encoded_context)
notify_log("Raw notification context:\n"
- + "\n".join([" %s=%s" % v for v in sorted(raw_context.items())]))
+ + "\n".join([" %s=%s" % v for v in sorted(encoded_context.items())]))
raw_keys = list(raw_context.keys())
complete_raw_context(raw_context)