ID: 14686
Title: Added timeout to event console communication
Component: Livestatus
Level: 2
Class: Bug fix
Version: 2.2.0i1
An unresponsive event console could eat up Livestatus connections and even
cause a deadlock during the shutdown of the monitoring core. Now there is
timeout of 10s, after that you get a timeout error for the Livestatus
query or action.
ID: 14919
Title: Do not log host secret (2)
Component: agents
Level: 3
Class: Security fix
Version: 2.2.0i1
Unfortunately Werk #14916 was insufficient.
Therefore the vulnerability still exists.
This Werk fixes the problem.
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updating:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ID: 14783
Title: Add Support for SLES15sp4
Component: Site Management
Level: 1
Class: New feature
Version: 2.2.0i1
With this werk, Checkmk is build for SUSE Linux Enterprise Server 15SP4.
ID: 14769
Title: Activate Changes does not respect site-specific synchronisation settings
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
It is possible to configure whether local extensions (MKPs) and Event Console
rules should be synchronised between the central and the remote sites in a
distributed monitoring set-up (configurable via Setup -> General -> Distributed
monitoring).
The site synchronisation between the central and any remote sites sporadically
ignored the respective site synchronisation settings. This has been fixed.
ID: 14893
Title: Fix localized entries in audit log
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
Entries in audit log were localized with the user language of the user that executed changes.
These entries are now always written unlocalized.
ID: 14836
Title: HW/SW Inventory: Add cluster property if the tree is not empty
Component: HW/SW Inventory
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously the cluster property was added in any case even if the newly
computed tree was empty (ie. no data or inventory plugins did not add any
entries).
This led to a rather confusing result message of the {{HW/SW Inventory}}
service: {{Cannot update tree, Found 1 inventory entries, Got no data, ...}}.
Moreover there was no possibility for removing the {{HW/SW Inventory}} tree at
all, ie. the icon {{Show hardware/software inventory of this host}} in the
dropdown menu of the {{HW/SW Inventory}} stays all the time.
Now the mechanism works as follows:
LI: Apply all related inventory plugins
LI: Apply configured retention intervals
LI: If the tree is not empty then set the cluster property and store the tree.
LI: Otherwise remove the icon which means: no current inventory tree
Note: The retention intervals worked incidentally before because the tree never
was empty. Thus they were always applied.
ID: 14889
Title: Fix deletion of users on remote sites if own LDAP connector is used
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
Until now, the concept of user management in distributed setups was that the
central site was responsible to keep track of the known users and pushed the
config to the remote sites.
This leeds to the problem, that users on remote sites with an own LDAP
connector configured were deleted on every activation of changes.
We now skip this users for deletion on activation, so the remote site is
responsible for users who are synchronized via the configured LDAP connection.
Please note that these kind of users are still not visible/usable in the setup
of the central site. You can e.g. not select them in rules like notification
rules. But this was also the case before.
ID: 14389
Title: Add cmk-passwd utility
Component: setup
Level: 1
Class: New feature
Version: 2.2.0i1
This Werk adds the tool cmk-passwd.
cmk-passwd can add and change Checkmk user passwords via the commandline, as could previously be achieved using htpasswd.
Users are advised to use cmk-passwd instead of htpasswd to manage Checkmk user passwords from now on.
To change a password with cmk-passwd, for example the password of cmkadmin, simply run
C+:
cmk-passwd cmkadmin
C-:
The tool will then prompt the password and ask you to re-type it for verification.
See <tt>cmk-passwd -h</tt> for further options.
cmk-passwd selects the correct password file location and password hashing algorithm for the installed version of Checkmk.
Behind the scenes it currently still writes to the same file (<tt>etc/htpasswd</tt>) in htpasswd-compatible format.
This might be changed in the future though.
ID: 14685
Title: Fixed real-time checks with encryption
Component: cmc
Level: 2
Class: Bug fix
Version: 2.2.0i1
Real-time check data which contains a 0-byte was not processed correctly, so
this mainly affected encrypted RTC data. This has been fixed.
Note that even normal check results were affected, but these are normally
text-only without any 0-bytes, so they worked basically all the time.
ID: 14891
Title: Fix context filter of linked view dashlets
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
If you added a dashlet, via "Link to existing view" to a dashboard (e.g. the
"events" view) and configured a "Log Entry" filter, the shown dashlet always
used the defined filter of the source view, ignoring the configured options of
the dashlet.
Other views/filters used as linked view dashlet may also be affected because of
the former order of context processing.