Module: check_mk
Branch: master
Commit: be1e994000b4b980045e8dc379631130278ecb2b
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=be1e994000b4b9…
Author: Konstantin Büttner <kb(a)mathias-kettner.de>
Date: Fri Oct 28 13:53:20 2016 +0200
Edit description of Werk 3743
---
.werks/3743 | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/.werks/3743 b/.werks/3743
index aa07db4..230be49 100644
--- a/.werks/3743
+++ b/.werks/3743
@@ -1,4 +1,4 @@
-Title: mk_jolokia: Use JSON library to parse JSON output in lieu of eval()
+Title: mk_jolokia: Fix possible code injection
Level: 1
Component: checks
Class: security
@@ -7,6 +7,18 @@ State: unknown
Version: 1.4.0i1
Date: 1472111893
-Previously, the mk_jolokia agent plugin would try to parse the JSON data
-returned from jolokia with eval(). Now, the simplejson or json python
-libraries are a prerequisite for the plugin to work.
+The plugin now requires either the json or simplejson python library to work.
+
+Python 2.6 or higher ships with json, in this case, the plugin will work just
+as before.
+
+simplejson is available for Python 2.5 and higher, installation of this package
+is required for the plugin to work.
+
+Older python versions are not supported, please query your Jolokia instances
+from another host in these cases (recommended) or continue to use the old version
+of the plugin. (not recommended)
+
+In absence of the json or simplejson python libraries, the mk_jolokia plugin
+would previously try to parse the Jolokia response with python eval(), allowing
+a MITM attacker to inject arbitrary code.