ID: 14441
Title: tsm_scratch: add support for Linux agent plugin
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
The dataset required for the check plugin
<i>IBM Tivoli Storage Manager (TSM): Number of Tapes in Scratch Pool</i>
(<tt>tsm_scratch</tt>) is now also created by the Linux agent plugin.
Previously this section has been created by the Windows plugin only.
ID: 14424
Title: Interface services: Do not abort upon counter overflow
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Most of the interface check plugins (such as <tt>if64</tt>) are counter-based. This means that the
rates shown in the service outputs are computed by Checkmk based on these counters. One property of
these counters is that they may overflow and subsequently re-start from zero. When this happens, no
useful rate can be computed for this check cycle.
Before this werk, Checkmk aborted and did not produce any service output in this case. Now, Checkmk
instead skips the metrics for which the corresponding counters overflowed, but still produces the
remaining, unaffected results.
Note thas this only applies to ungrouped interfaces, i.e. the vast majority of all interface
services.
ID: 14542
Title: Interface checks: Stop producing constantly zero and potentially wrong metrics
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The interface checks process a lot of different metrics (input and output bandwidth, input and
output error rates, input and and output packet rates, etc.). Before this werk, for any metric not
reported by a device, the interface checks returned constantly zero values. For example, for EC2
instances in AWS, the only metrics reported by the AWS special agent are input and output bandwidth.
Before this werk, the interface check constantly reported zero for all packet rates in this case.
This is however useless and potentially wrong in many places. Therefore, as of this werk, the
interface checks only return metrics for which the corresponding device actually reports values.
ID: 14545
Title: Make ssh command work as site user on SUSE Linux Enterprise Server 15 SP2
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
On SUSE Linux Enterprise Server 15 SP2 systems, the <tt>ssh</tt> command crashed with
C+:
ssh: relocation error: ssh: symbol EVP_KDF_CTX_free, version OPENSSL_1_1_1d not defined in file libcrypto.so.1.1 with link time reference
C-:
when executed as a site user.
Note that this affected both the direct execution of <tt>ssh</tt> on the command line as well as
other programs using this command, such as the special agent for IBM SVC / V7000 storage systems.
ID: 13912
Title: Fix crash on restarting the RRDHelper
Component: cmc
Level: 1
Class: Bug fix
Version: 2.2.0i1
The RRDHelper may need to be restarted without a full
restart of the CMC. This could lead to an internal
error and crash the CMC as well with a traceback such as
<TT>
/omd/sites/.../bin/cmc(_Z11sig_survivei+0xc2) [0x6656d2]
/lib/x86_64-linux-gnu/libc.so.6(+0x42520) [0x7fca01440520]
/lib/x86_64-linux-gnu/libc.so.6(pthread_kill+0x12c) [0x7fca01494a7c]
/lib/x86_64-linux-gnu/libc.so.6(raise+0x16) [0x7fca01440476]
/lib/x86_64-linux-gnu/libc.so.6(abort+0xd3) [0x7fca014267f3]
/omd/sites/.../bin/cmc() [0x64e6a5]
/omd/sites/.../bin/cmc(_ZN10__cxxabiv111__terminateEPFvvE+0xa) [0xa0e61a]
/omd/sites/.../bin/cmc() [0xa0e685]
/omd/sites/.../bin/cmc(_ZN16DataExportThreadIN9rrdcached8protocol6UpdateENS1_6ReloadEE5startEv+0x78) [0x755998]
/omd/sites/.../bin/cmc(_ZN9RRDHelper6createEPK6Object9RRDFormatRKSt6vectorI6MetricSaIS5_EE+0x703) [0x74ef33]
/omd/sites/.../bin/cmc(_ZN9RRDHelper13processSingleERK15PerformanceDataPK6ObjectRK7RRDInfo+0xab0) [0x753780]
/omd/sites/.../bin/cmc(_ZN9RRDHelper15processPerfDataERK15PerformanceDataPK6Object+0xdd) [0x75452d]
/omd/sites/.../bin/cmc(_ZN4Core15processPerfdataEPK6Object+0xa1) [0x66b4b1]
/omd/sites/.../bin/cmc(_ZN4Core25objectStateHasBeenChangedEP6Object+0x1c0) [0x66c370]
/omd/sites/.../bin/cmc(_ZN4Core18processCheckResultERK11CheckResult+0x91) [0x66c801]
/omd/sites/.../bin/cmc(_ZN11CheckHelper9getResultEv+0xb69) [0x8698e9]
/omd/sites/.../bin/cmc(_ZN11CheckHelper12communicate_ERK6Poller+0xe6) [0x869c66]
/omd/sites/.../bin/cmc(_ZN15CheckHelperPool12communicate_ERK6Poller+0x45) [0x86b5f5]
/omd/sites/.../bin/cmc(_ZN4Core8mainLoopEv+0x4f5) [0x6724e5]
/omd/sites/.../bin/cmc(_ZN4Core3runEv+0xae5) [0x673415]
/omd/sites/.../bin/cmc(main+0xf1f) [0x65410f]
/lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7fca01427d90]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7fca01427e40]
/omd/sites/.../bin/cmc(_start+0x25) [0x65b675]
</TT>
ID: 14288
Title: Fix Apache error message in case site Apache is not started
Component: Site Management
Level: 1
Class: Bug fix
Version: 2.2.0i1
With 2.1.0p7 and werk #14281 we changed the system Apache configuration which
broke the System Apache error page that is shown to the user in case the site
Apache is not running. It showed a 'Service Unavailable' message instead of the
intended 'Checkmk: Site Not Started'.
To apply this fix, you will have to execute <tt>omd update-apache-config [site]</tt>
as root user after executing <tt>omd update</tt>.
ID: 14455
Title: SAP R/3: Dialog Statistics: no longer interpret unknown values to be zero
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check plugin <i>"SAP R/3: Dialog Statistics"</i> (<tt>sap_dialog</tt>) interpreted unreadable
values as being zero. These values are skipped now.
ID: 14281
Title: Fix local privilege escalation from site users
Component: Site Management
Level: 1
Class: Security fix
Version: 2.2.0i1
Each Checkmk site provides it's HTTP services (UI, APIs) using it's own site
Apache process. Global access to this site Apache is provided via the system
Apache which is opening the 80 and 443 ports for external requests, depending
on your system configuration.
To learn about the site Apache, the system Apache reads a reverse proxy
configuration provided by the site user. This could be used by a site user to
make the system Apache execute code as root user, since the System Apache is
typically started initially with root privileges.
To close this gap, we now need to separate the system Apache configuration from
the site user access.
To eliminate the privilege escalation, you will have to execute the command
<tt>omd update-apache-config [SITE]</tt> once for each of your sites after
the <tt>omd update</tt> command.
Besides the one-time fix, this change has a consequence for the use of <tt>omd
config</tt> and <tt>omd update</tt>. There are two situations where this is
relevant:
a) If you change the options APACHE_TCP_ADDR, APACHE_TCP_PORT or APACHE_MODE
You will have to call <tt>omd update-apache-config [SITE]</tt> as root user after
changing one of the site configuration options APACHE_TCP_ADDR, APACHE_TCP_PORT
or APACHE_MODE. This needs to be done to update and apply the system Apache
configuration. If you don't do this and start your site, your UI may be not
available anymore.
The <tt>omd config</tt> command will output a warning to notify you about this
necessary step in the future.
b) If you execute <tt>omd update</tt> and the proxy configuration changes
The update is performed as site user. Which means that, after this werk, we can
not update and apply the system apache configuration anymore automatically.
To apply the latest apache configuration, the command <tt>omd
update-apache-config [SITE]</tt> needs to be executed after the update.
The <tt>omd update</tt> will automatically detect the need for this additional
step and show you a confirmation dialog before starting the update to notify
you about this necessary step and giving you the chance to interrupt the
procedure in case you don't have the option to execute the command as root
user.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable. Users of previous versions are
highly recommended to update or consider other mitigations.
If you want to solve this issue for a site that is using an unpatched version,
you can do it by replacing the file <tt>/omd/apache/[SITE].conf</tt> with a
file like follows. Please note, that you will have to replace all occurrences
<tt>[SITE]</tt> with the ID of your site and <tt>[PORT]</tt> with the port of
the site apache. After you replaced the file, you will have to restart the
system Apache.
C+
# version: 0
# Make sure that symlink /omd does not make problems
<Directory />
Options +FollowSymlinks
</Directory>
<IfModule mod_proxy_http.c>
ProxyRequests Off
ProxyPreserveHost On
<Proxy http://127.0.0.1:[PORT]/[SITE]>
Order allow,deny
allow from all
</Proxy>
<Location /[SITE]>
# Setting "retry=0" to prevent 60 second caching of problem states e.g. when
# the site apache is down and someone tries to access the page.
# "disablereuse=On" prevents the apache from keeping the connection which leads to
# wrong devlivered pages sometimes
ProxyPass http://127.0.0.1:[PORT]/[SITE] retry=0 disablereuse=On timeout=120
ProxyPassReverse http://127.0.0.1:[PORT]/[SITE]
</Location>
</IfModule>
<IfModule !mod_proxy_http.c>
Alias /[SITE] /omd/sites/[SITE]
<Directory /omd/sites/[SITE]>
Deny from all
ErrorDocument 403 "<h1>Checkmk: Incomplete Apache Installation</h1>You need mod_proxy and
mod_proxy_http in order to run the web interface of Checkmk."
</Directory>
</IfModule>
<Location /[SITE]>
ErrorDocument 503 "<meta http-equiv='refresh' content='60'><h1>Checkmk: Site Not Started</h1>You need to start this site in order to access the web interface.<!-- IE shows its own short useless error message otherwise: placeholder -->"
</Location>
C-:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 7.0
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/…)
CVE will be added later.
We thank Jan-Philipp Litza (PLUTEX GmbH) for reporting this issue!