[checkmk-commits] Edit description of Werk 3743

Module: check_mk Branch: master Commit: be1e994000b4b980045e8dc379631130278ecb2b URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=be1e994000b4b9… Author: Konstantin Büttner <kb(a)mathias-kettner.de> Date: Fri Oct 28 13:53:20 2016 +0200 Edit description of Werk 3743 --- .werks/3743 | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/.werks/3743 b/.werks/3743 index aa07db4..230be49 100644 --- a/.werks/3743 +++ b/.werks/3743 @@ -1,4 +1,4 @@ -Title: mk_jolokia: Use JSON library to parse JSON output in lieu of eval() +Title: mk_jolokia: Fix possible code injection Level: 1 Component: checks Class: security @@ -7,6 +7,18 @@ State: unknown Version: 1.4.0i1 Date: 1472111893 -Previously, the mk_jolokia agent plugin would try to parse the JSON data -returned from jolokia with eval(). Now, the simplejson or json python -libraries are a prerequisite for the plugin to work. +The plugin now requires either the json or simplejson python library to work. + +Python 2.6 or higher ships with json, in this case, the plugin will work just +as before. + +simplejson is available for Python 2.5 and higher, installation of this package +is required for the plugin to work. + +Older python versions are not supported, please query your Jolokia instances +from another host in these cases (recommended) or continue to use the old version +of the plugin. (not recommended) + +In absence of the json or simplejson python libraries, the mk_jolokia plugin +would previously try to parse the Jolokia response with python eval(), allowing +a MITM attacker to inject arbitrary code.