ID: 14718
Title: SAP HANA bakery plugin: Handle user store key correctly
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The SAP HANA bakery plugin did not handle the option <i>User store key</i> under <i>Credentials</i>
> <i>Default credentials</i> properly. Depending on the configured value, either the agent baking
crashed or the baked agent plugin configuration was wrong, st. the plugin execution failed.
ID: 14383
Title: Fix code injection in watolib
Component: Setup
Level: 1
Class: Security fix
Version: 2.2.0i1
This Werk fixes a code injection vulnerability in watolib.
Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration.
The code would be executed once a request to the respective NagVis component is made.
The underlying reason for this issue was that user data entered in Wato was not properly sanitized when writing to the PHP file.
We thank Stefan Schiller (SonarSource) for reporting this issue.
<b>Affected Versions</b>:
All currently supported versions are affected: 1.6, 2.0, and 2.1.
<b>Mitigations</b>:
As an immediate mitigation you can entirely disable PHP on your server.
Note that NagVis will not work anymore without PHP.
<b>Indicators of Compromise</b>:
Malicious code is injected in either of the files <tt>var/check_mk/wato/auth/auth.php</tt> or <tt>var/check_mk/wato/php-api/hosttags.php</tt>.
Check these files for suspicious code.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 9.1 (Critical) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L</tt>.
A CVE has been requested.
<b>Changes</b>:
This Werk fixes the vulnerability by improving sanitization.
ID: 14381
Title: Fix command injection in SMS notification script
Component: Notifications
Level: 1
Class: Security fix
Version: 2.2.0i1
Previous to this Werk it was possible to inject arbitrary shell commands
when sending SMS notifications. For this, attackers would have needed to
place a crafted string in a user's Pager Address, which was not properly
escaped by the SMS script.
In most setups, this issue will not be exploitable: Changing a user's
Pager Address requires the User Management permission. Users with that
permission are effectively Administrators and can thus already
legitimately execute code in the Site context. Note however, that in
some setups the attribute can also be configured by external interfaces,
for example via LDAP User Synchronization.
<b>Affected Versions</b>: All currently supported versions are affected:
1.6, 2.0, and 2.1.
<b>Mitigations</b>: As an immediate mitigation all notifications via the
method "SMS (using smstools)" can be disabled. Note that users' personal
notification rules are affected as well.
<b>Indicators of Compromise</b>: If you suspect this issue might have
been exploited in your installation, validate users' Pager Address
fields. Check the Audit Log for changes to this field.
<b>Vulnerability Management</b>: We have rated the issue with a CVSS
Score of 8.0 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>. A CVE has been
requested.
<b>Changes</b>: This Werk replaces a hazardous call to
<tt>os.system</tt> by a safer alternative and adds additional validation
to the Pager Address before attempting to send SMS to it. Valid Pager
Addresses may now include letters, numbers, space characters, any of the
characters <tt>. / - ()</tt>, as well as a <tt>+</tt> character at the
beginning.
ID: 13955
Title: Add graph data endpoint to the REST API
Component: REST API
Level: 1
Class: New feature
Version: 2.2.0i1
The REST API now has endpoints for querying graph data.
They are analogous to the Web API endpoint.
If you have any calls to ".../cmk/check_mk/webapi.py?action=get_graph...",
please use the REST endpoint ("/domain-types/graph/actions/get_*_graph/invoke") instead.
Please note that the request and response schemas differ from the Web API and
any client code should be adjusted accordingly.
Further details about the schemas can be found in the documentation of respective endpoints
ID: 14484
Title: Add password strength meter
Component: Setup
Level: 1
Class: New feature
Version: 2.2.0i1
When changing the password or creating a new user you now see a password
strength meter indicating a estimation of the password strength.
ID: 14732
Title: cmk-update-agent: Retry locking
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The agent updater is designed to have no more than one instance running
at a time on a host. This is implemented by holding a file lock while running.
We recently observed that a lock may sometimes fail briefly after it was
released by a previous agent updater instance, possibly due to some anti virus
software.
To mitigate this situation, the locking is now retried 10 times before aborting
the agent updater call.
ID: 14762
Title: mk_postgres.py: instances not found under Linux for PostgreSQL version >= 13
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
This fix only applies when your PostgreSQL server runs under Linux.
The plugin "mk_postgres.py" does not find any instances when PostgreSQL version >=
13 is installed. This has been fixed. If you require this fix, please update
the agent plugin "mk_postgres.py" on the relevant host.
The problem was that in this version, the output of the "ps" command does not
include the full path to the relevant binaries, and therefore they could not be
correctly identified as PostgreSQL processes. For example:<br>
<br>
[PID] /usr/bin/postmaster [OPTS] --> [PID] postmaster [OPTS]
<br>
ID: 14771
Title: Fix ping endpoint for InfluxDB
Component: Core & setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
The InfluxDB connector checks whether a connection is possible over
the "ping" endpoint.
Before, the connector erroneously used the /api/v2/ping endpoint, which
has stopped working in recent versions of the API. Now, it correctly
uses the documented /ping endpoint.
ID: 14553
Title: Prometheus: Bad request url /api/v1/api/v1/status/buildinfo
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Previously, the Prometheus special agent would query endpoints, which don't exist. This would
(depending on the the HTTP response of the server) result in the following error
C+:
[special_prometheus] Agent exited with code 1: 400 Client Error: Bad Request for url: http://127.0.0.1:8428/api/v1/api/v1/status/buildinfo(!!)
C-:
Moreover, the buildinfo would sometimes be incomplete. Note, the new error is a regression
introduced in werk 14132. With this werk, the Prometheus agent queries the endpoints
C+:
/api/v1/status/buildinfo
/api/v1/status/runtimeinfo
C-:
ID: 14505
Title: heartbeat_crm_resources: services not discovered under pacemaker version >= 2
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The check heartbeat_crm_resources would not discover any services when
pacemaker version >= 2 is installed on the host system. This is for example the
case with RHEL8. This has been fixed.
The problem was due to the fact that newer versions of pacemaker show heartbeat
information in a different format.