Branch: refs/heads/2.3.0
Home:
https://github.com/Checkmk/checkmk
Commit: 3183015032286a59585d3146a9b73ce9926ef90a
https://github.com/Checkmk/checkmk/commit/3183015032286a59585d3146a9b73ce99…
Author: Sergey Kipnis <sergey.kipnis(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
A .werks/16845.md
M agents/wnx/include/wnx/cfg_details.h
M agents/wnx/include/wnx/cma_core.h
M agents/wnx/src/common/wtools.cpp
M agents/wnx/src/engine/cfg.cpp
M agents/wnx/src/engine/cma_core.cpp
M agents/wnx/watest/test-yaml.cpp
Log Message:
-----------
16845 SEC fix a privilege escalation vulnerability in the Checkmk Windows Agent
This Werk fixes a privilege escalation vulnerability in the Checkmk Windows
Agent.
Prior to this Werk, it was possible for authenticated users on the monitored
Windows host to execute commands as administrator account that is used to run
the Agent, allowing them to elevate their privileges.
The reason for this issue were excessive write permissions on the
`ProgramData\checkmk\agent` directory.
Note that you must update Checkmk as well as the agent in order to apply this
fix.
This issue was found in a commissioned penetration test conducted by modzero
GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
*Mitigations*:
If updating is not possible, you can manually remove write access for non-admin
users on the `ProgramData\checkmk\agent` folder.
To do this, navigate to the folder's property settings and make sure to verify
the special permissions and advanced permission settings in addition to the
basic permission settings.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 High
(`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`)
and assigned `CVE-2024-28827`.
Change-Id: Ic4592f5ff0e4310e3821c955c31542cab84710b6
Commit: 9c39ca70b4fe0e2e0a8687727195d516a3e3af61
https://github.com/Checkmk/checkmk/commit/9c39ca70b4fe0e2e0a8687727195d516a…
Author: Timotheus Bachinger <timotheus.bachinger(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
M .werks/16845.md
Log Message:
-----------
Reserve werk for potential future use
Change-Id: Ie9f5516caa39dae729264cf42f1afb0fa0bdfdc4
Commit: 3ba8e13383f2027e4138f14f58c2c16a171e56f4
https://github.com/Checkmk/checkmk/commit/3ba8e13383f2027e4138f14f58c2c16a1…
Author: Timotheus Bachinger <timotheus.bachinger(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
M .werks/16845.md
Log Message:
-----------
Revert "Reserve werk for potential future use"
This reverts commit 9c39ca70b4fe0e2e0a8687727195d516a3e3af61.
Commit: 3289139fb1ec66f5c12c6debc49cc8bbb0dc61f7
https://github.com/Checkmk/checkmk/commit/3289139fb1ec66f5c12c6debc49cc8bbb…
Author: Maximilian Wirtz <maximilian.wirtz(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
A .werks/17010.md
M cmk/gui/valuespec.py
Log Message:
-----------
17010 SEC XSS in SQL check parameters
Prior to this Werk an attacher could add HTML to one parameter of the *Check SQL database*
rule which was executed on the overview page.
We found this vulnerability internally.
**Affected Versions**:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
**Indicators of Compromis**:
The creation of such rules is logged in the audit log. You can therefore check the
`wato_audit.log` either on the terminal or in the UI for entries that contain malicious
HTML.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L`
We assigned CVE-2024-6052 to this vulnerability.
**Changes**:
This Werk fixes the escaping.
CMK-17809
Change-Id: I8cf2d8218f1d6bb449beb6947d879b8a114e081a
Commit: f93c345b2ef1435d51333d3593a6b1701d5c249c
https://github.com/Checkmk/checkmk/commit/f93c345b2ef1435d51333d3593a6b1701…
Author: Hannes Rantzsch <hannes.rantzsch(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
A .werks/17090.md
M cmk/gui/backup/handler.py
M cmk/gui/bi/_config.py
M cmk/gui/custom_icons/_modes.py
M cmk/gui/key_mgmt.py
M cmk/gui/mkeventd/wato.py
M cmk/gui/wato/pages/_simple_modes.py
M cmk/gui/wato/pages/audit_log.py
M cmk/gui/wato/pages/bulk_discovery.py
M cmk/gui/wato/pages/bulk_edit.py
M cmk/gui/wato/pages/bulk_import.py
M cmk/gui/wato/pages/diagnostics.py
M cmk/gui/wato/pages/folders.py
M cmk/gui/wato/pages/global_settings.py
M cmk/gui/wato/pages/groups.py
M cmk/gui/wato/pages/host_diagnose.py
M cmk/gui/wato/pages/host_rename.py
M cmk/gui/wato/pages/ldap.py
M cmk/gui/wato/pages/notifications.py
M cmk/gui/wato/pages/parentscan.py
M cmk/gui/wato/pages/read_only.py
M cmk/gui/wato/pages/roles.py
M cmk/gui/wato/pages/rulesets.py
M cmk/gui/wato/pages/search.py
M cmk/gui/wato/pages/sites.py
M cmk/gui/wato/pages/tags.py
M cmk/gui/wato/pages/timeperiods.py
M cmk/gui/wato/pages/user_migrate.py
M cmk/gui/wato/pages/users.py
M web/htdocs/js/modules/forms.ts
Log Message:
-----------
17090 SEC Fix Various CSRF Issues
This Werk adds priviously missing CSRF-Token validation to various
endpoints in WATO. The lack of CSRF-Token validation could allow an
attacker to perform actions on behalf of a user without their consent,
by tricking the user into visiting clicking on a malicious link.
This vulnerability was identified during a commissioned penetration test
conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 High
(`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`) and assigned
`CVE-2024-28828`.
Change-Id: Ib12128b873b7d06140e48fb66147e7a2599dd6f9
Commit: 665b52622a34c0197bc28090df6306b36436ca76
https://github.com/Checkmk/checkmk/commit/665b52622a34c0197bc28090df6306b36…
Author: Checkmk release system <feedback(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
M agents/check_mk_agent.aix
M agents/check_mk_agent.freebsd
M agents/check_mk_agent.hpux
M agents/check_mk_agent.linux
M agents/check_mk_agent.macosx
M agents/check_mk_agent.netbsd
M agents/check_mk_agent.openbsd
M agents/check_mk_agent.openvms
M agents/check_mk_agent.openwrt
M agents/check_mk_agent.solaris
M agents/plugins/apache_status.py
M agents/plugins/asmcmd.sh
M agents/plugins/db2_mem
M agents/plugins/dnsclient
M agents/plugins/hpux_lunstats
M agents/plugins/hpux_statgrab
M agents/plugins/ibm_mq
M agents/plugins/isc_dhcpd.py
M agents/plugins/jar_signature
M agents/plugins/kaspersky_av
M agents/plugins/lnx_container_host_if.linux
M agents/plugins/lnx_quota
M agents/plugins/lvm
M agents/plugins/mailman2_lists
M agents/plugins/mailman3_lists
M agents/plugins/mk_apt
M agents/plugins/mk_ceph
M agents/plugins/mk_cups_queues
M agents/plugins/mk_db2.aix
M agents/plugins/mk_db2.linux
M agents/plugins/mk_docker.py
M agents/plugins/mk_errpt.aix
M agents/plugins/mk_filehandler
M agents/plugins/mk_filestats.py
M agents/plugins/mk_haproxy.freebsd
M agents/plugins/mk_informix
M agents/plugins/mk_inotify.py
M agents/plugins/mk_inventory.aix
M agents/plugins/mk_inventory.linux
M agents/plugins/mk_inventory.solaris
M agents/plugins/mk_iptables
M agents/plugins/mk_jolokia.py
M agents/plugins/mk_logins
M agents/plugins/mk_logwatch.py
M agents/plugins/mk_mongodb.py
M agents/plugins/mk_mysql
M agents/plugins/mk_nfsiostat
M agents/plugins/mk_omreport
M agents/plugins/mk_oracle
M agents/plugins/mk_oracle_crs
M agents/plugins/mk_postgres.py
M agents/plugins/mk_redis
M agents/plugins/mk_sap.aix
M agents/plugins/mk_sap.py
M agents/plugins/mk_sap_hana
M agents/plugins/mk_saprouter
M agents/plugins/mk_scaleio
M agents/plugins/mk_site_object_counts
M agents/plugins/mk_sshd_config
M agents/plugins/mk_suseconnect
M agents/plugins/mk_tinkerforge.py
M agents/plugins/mk_tsm
M agents/plugins/mk_zypper
M agents/plugins/mtr.py
M agents/plugins/netstat.aix
M agents/plugins/netstat.linux
M agents/plugins/netstat.solaris
M agents/plugins/nfsexports
M agents/plugins/nfsexports.solaris
M agents/plugins/nginx_status.py
M agents/plugins/plesk_backups.py
M agents/plugins/plesk_domains.py
M agents/plugins/runas
M agents/plugins/smart
M agents/plugins/symantec_av
M agents/plugins/unitrends_backup
M agents/plugins/unitrends_replication.py
M agents/plugins/vxvm
M agents/plugins/zorp
M agents/windows/plugins/ad_replication.bat
M agents/windows/plugins/arcserve_backup.ps1
M agents/windows/plugins/citrix_farm.ps1
M agents/windows/plugins/citrix_licenses.vbs
M agents/windows/plugins/citrix_xenapp.ps1
M agents/windows/plugins/hyperv_vms.ps1
M agents/windows/plugins/hyperv_vms_guestinfos.ps1
M agents/windows/plugins/iis_app_pool_state.ps1
M agents/windows/plugins/kaspersky_av_client.vbs
M agents/windows/plugins/mcafee_av_client.bat
M agents/windows/plugins/megaraid.bat
M agents/windows/plugins/mk_dhcp_enabled.bat
M agents/windows/plugins/mk_inventory.vbs
M agents/windows/plugins/mk_msoffice.ps1
M agents/windows/plugins/mk_mysql.vbs
M agents/windows/plugins/mk_oracle.ps1
M agents/windows/plugins/msexch_dag.ps1
M agents/windows/plugins/msexch_database.ps1
M agents/windows/plugins/mssql.vbs
M agents/windows/plugins/netstat_an.bat
M agents/windows/plugins/nvidia_smi.ps1
M agents/windows/plugins/rds_licenses.vbs
M agents/windows/plugins/rstcli.bat
M agents/windows/plugins/sansymphony.ps1
M agents/windows/plugins/storcli.bat
M agents/windows/plugins/tsm_checks.bat
M agents/windows/plugins/veeam_backup_status.ps1
M agents/windows/plugins/win_dhcp_pools.bat
M agents/windows/plugins/win_dmidecode.bat
M agents/windows/plugins/win_license.bat
M agents/windows/plugins/win_printers.ps1
M agents/windows/plugins/windows_broadcom_bonding.bat
M agents/windows/plugins/windows_if.ps1
M agents/windows/plugins/windows_intel_bonding.bat
M agents/windows/plugins/windows_multipath.vbs
M agents/windows/plugins/windows_os_bonding.ps1
M agents/windows/plugins/windows_tasks.ps1
M agents/windows/plugins/windows_updates.vbs
M agents/windows/plugins/wmic_if.bat
M agents/wnx/include/common/wnx_version.h
M bin/livedump
M cmk/special_agents/agent_jolokia.py
M cmk/special_agents/agent_netapp.py
M cmk/special_agents/agent_splunk.py
M cmk/special_agents/agent_vsphere.py
M cmk/utils/version.py
M defines.make
M docker_image/Dockerfile
M packages/cmk-agent-ctl/src/constants.rs
M packages/mk-sql/src/constants.rs
M packages/neb/CMakeLists.txt
Log Message:
-----------
Set version to 2.3.0p9
Commit: 1bf9ffb45e768111b3d727829ed3a1700f8b653a
https://github.com/Checkmk/checkmk/commit/1bf9ffb45e768111b3d727829ed3a1700…
Author: Jonas Scharpf <jonas.scharpf(a)checkmk.com>
Date: 2024-07-01 (Mon, 01 Jul 2024)
Changed paths:
M .werks/17010.md
Log Message:
-----------
Fix version of werk
Change-Id: I65384c553f83cd83b540ee4ad36159a9512dd727
Commit: 4a965bf10988decd95f82eecfc7f949688b2788d
https://github.com/Checkmk/checkmk/commit/4a965bf10988decd95f82eecfc7f94968…
Author: Solomon Jacobs <solomon.jacobs(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
A .werks/16431.md
M omd/packages/omd/omdlib/main.py
Log Message:
-----------
16431 FIX omd restore: Fix RuntimeError: Failed to determine site version
SUP-18672
Change-Id: Ic212139fd8e2e38c2dfbb70c9db68812870d22d5
Commit: f86e6dfdb40aa3f90773b1bdc208f8d13b5e652b
https://github.com/Checkmk/checkmk/commit/f86e6dfdb40aa3f90773b1bdc208f8d13…
Author: Gav <gavin.mcguigan(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
M cmk/gui/openapi/endpoints/activate_changes/__init__.py
Log Message:
-----------
activate_changes: catch unknown activation processes error before returning running
activations
Running activations have already been activated (in some cases) when
we then ask for the activation details. This is causing the test to
be flaky.
CMK-18048
Change-Id: I2789e03a04a15ea6b4c95cd88ed1eb4286e51c8f
Commit: 405aadd3e603186f600ea95b47110910fa383e80
https://github.com/Checkmk/checkmk/commit/405aadd3e603186f600ea95b47110910f…
Author: Simon Jess <simon.jess(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
A .werks/16753.md
M cmk/gui/views/inventory/__init__.py
M cmk/gui/views/join_service_rows.py
Log Message:
-----------
16753 FIX HW/SW Inventory: Fix missing joined service columns if a service is assigned
to a cluster
Change-Id: I75b0bd6141ba2f4b715b8c06f8aeb844df1641f3
Commit: 8f01c977eeba4bac1c1d6539d7204e5f2e2056ae
https://github.com/Checkmk/checkmk/commit/8f01c977eeba4bac1c1d6539d7204e5f2…
Author: Checkmk release system <feedback(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
M tests/update/base_versions_current_branch.json
Log Message:
-----------
Include 2.3.0p8 in base-versions list for update-test
Commit: ec809c74cc557aee4b09efef74a0d56230962c36
https://github.com/Checkmk/checkmk/commit/ec809c74cc557aee4b09efef74a0d5623…
Author: Jonas Scharpf <jonas.scharpf(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
M .werks/16431.md
Log Message:
-----------
Fix version of werk
Change-Id: Iaaa491fc3cd2ea1cd199ab320e5b7eb28ae37218
Commit: c11e5332c49cfa7eceb22ae7e3b256c8ea5d31ab
https://github.com/Checkmk/checkmk/commit/c11e5332c49cfa7eceb22ae7e3b256c8e…
Author: Sofia Colakovic <sofia.colakovic(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
A .werks/16863.md
M cmk/special_agents/agent_proxmox_ve.py
M tests/unit/cmk/special_agents/test_agent_proxmox_ve.py
Log Message:
-----------
16863 FIX proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer
The backup log format changed in Proxmox version 3.2.4 which resulted in a crash
in the Proxmox special agent.
The special agent can now handle both old and the new format of backup log messages.
SUP-19222
Change-Id: I57c0108b20874b8d3fb5841f8827779ed1504d3a
Commit: 95dccaf7a0c72d1939397451adaa39e64139c1ee
https://github.com/Checkmk/checkmk/commit/95dccaf7a0c72d1939397451adaa39e64…
Author: Checkmk release system <feedback(a)checkmk.com>
Date: 2024-07-02 (Tue, 02 Jul 2024)
Changed paths:
M tests/update/base_versions_previous_branch.json
Log Message:
-----------
Include 2.2.0p29 in base-versions list for update-test
Compare:
https://github.com/Checkmk/checkmk/compare/105ffefff92e...95dccaf7a0c7
To unsubscribe from these emails, change your notification settings at
https://github.com/Checkmk/checkmk/settings/notifications