Branch: refs/heads/2.1.0
Home:
https://github.com/tribe29/checkmk
Commit: fe5e84b2e6407dc120c2ba116a29567652593a41
https://github.com/tribe29/checkmk/commit/fe5e84b2e6407dc120c2ba116a2956765…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-05-17 (Tue, 17 May 2022)
Changed paths:
A .werks/13902
M omd/packages/omd/omdlib/config_hooks.py
M omd/packages/omd/omdlib/contexts.py
Log Message:
-----------
Use /omd/versions/../hooks for omd config hooks
Omd executes several hooks to determin configuration options (e.g. which port
to use for the Site-Apache). These hooks are version dependend, so omd executed
these hooks via a symlink in the site to get the hooks matching the version of
the site.
The symlinks belong to the site user in order to be able to update
the version. Since a <i>omd status</i> executes those hooks as root, it was
possible for a site user to create a malicioious hook and execute code as root.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable.
CVE will be added later here.
We thank Timo Klecker for reporting this issue!
CMK-10427
Change-Id: I3ad117773aa90b5a52ea4492ee37a66e48f3fb66