ID: 14493
Title: Add global setting "Enable community translations"
Component: Multisite
Level: 1
Class: New feature
Version: 2.2.0i1
<ul>
<li>Defaults to False - per default only English and German are shown in the language dropdown (User > Edit profile > Language)</li>
<li>Changing this global setting requires an additional activation of pending changes</li>
<li>When changed from True to False, the UI default and user specific languages are checked and set to English if a community translation was in place. Any such reset to English is logged as a warning to the details column on the "Activate pending changes" page.</li>
<li>When updating from an older version without this global setting, the UI default and user specific languages are checked and if a community translation was in place this global setting is changed to True to keep the previous language configuration.</li>
</ul>
ID: 14916
Title: Do not log host secret
Component: agents
Level: 3
Class: Security fix
Version: 2.2.0i1
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updateing:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ID: 14901
Title: user_config: REST API fix to ensure the request and response schemas align
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
This werk introduces a fix that aligns both the response and request schemas on the user_config
endpoints. The response schema now nests the enforce_password_change attribute just like the
request schemas. So the response from a GET request has the same format as what is required in
a POST/PUT request. Client scripts should be adjusted accordingly.
ID: 14807
Title: UCD CPU Load check is detected if not all counters are present
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
If a UCD device did not provide all counters reguested by the plugin it would not be
discovered during service discovery. We now use a default values of 0 for all counters.
ID: 14683
Title: Fixed livedump for Python 3
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
The livedump tool generated invalid configurations and states when used with
Python 3, effectively rendering the tool unusable. This has been fixed.
ID: 14917
Title: Fix WebUI form submission
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
With Werk 13903 a new CSRF token was introduced.
This token is added to all AJAX calls so the backend can validate this.
Unfortunately it was forgotten to add this token to the Mobile UI as well.
The missing token raised an error when submitting forms in the WebUI.
The token was added to the mobile UI.
ID: 14623
Title: vxvm_multipath: No longer fails because of invalid line in agent output
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check used to fail because of an invalid line in the agent ouput.
A parse function has been introduced which fixed the error.
ID: 13537
Title: cisco_meraki_org_licenses_overview: Monitor licenses of organisations
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
In order to make this check work you have to configure the ruleset
{{Cisco Meraki}} for the related special agent.
This check monitors the status, expiration date and the number of licensed
devices of each type.
ID: 14624
Title: vxvm_enclosures: No longer crashes because of invalid line in agent output
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check used to fail because of an invalid line in the agent ouput.
A parse function has been introduced which fixed the error.