Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: c16fc5d467329db2d73aeb8d9eb11d36eeaa6fc7
https://github.com/tribe29/checkmk/commit/c16fc5d467329db2d73aeb8d9eb11d36e…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2021-11-10 (Wed, 10 Nov 2021)
Changed paths:
A .werks/13314
M cmk/gui/watolib/automations.py
M tests/unit/cmk/gui/watolib/test_config_sync.py
Log Message:
-----------
13314 SEC Distributed monitoring: Do not log site secret on remote site
This issue only affects you in case you are using a distributed monitoring setup
and only affects the remote sites of a distributed setup.
When the central site is communicating with a remote site, this access from the
central site to a remote system is authenticated used the so called site
secret. This secret is handed over to the remote site with each remote call and
validated.
Previous Checkmk versions were sending the site secret via GET parameters to
the remote site. Which made the secret visible in the access log of the remote
site apache (var/log/apache/access_log).
As these log files are normally only readable by the site user and the site
secret is also known by the site user, this alone is not a information
disclosure.
Of course it might happen that you forward a log, e.g. for error diagnosis,
then this issue might be a real problem.
Therefore, we recommend all users to update to the next version to eliminate
the problem for the future. Afterwards we recommend to check the log files
(var/log/apache/access_log and var/log/apache/access_log.*.gz) and to remove
problematic log entries. If your logs could be viewed by non Checkmk admins,
you should also change the site secret.
If you change the site secret of a remote site, you will have to navigate to
"Setup > Distributed monitoring", then "Logout" the remote site and
"Login" the
site again to make the central site know the new site secret.
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
(
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/…)
Change-Id: Ie4b0c7047b81ee3db35e10b44acf276a772896ae