Checkmk werks level1 August 2022

checkmk-werks-lvl1@lists.checkmk.com

25 participants
99 discussions

Checkmk Werk 14718: SAP HANA bakery plugin: Handle user store key correctly

by Joerg Herbel

ID: 14718 Title: SAP HANA bakery plugin: Handle user store key correctly Component: agents Level: 1 Class: Bug fix Version: 2.2.0i1 The SAP HANA bakery plugin did not handle the option User store key under Credentials > Default credentials properly. Depending on the configured value, either the agent baking crashed or the baked agent plugin configuration was wrong, st. the plugin execution failed.

1 year, 11 months

Checkmk Werk 14383: Fix code injection in watolib

by Hannes Rantzsch

ID: 14383 Title: Fix code injection in watolib Component: Setup Level: 1 Class: Security fix Version: 2.2.0i1 This Werk fixes a code injection vulnerability in watolib. Prior to this Werk it was possible for authenticated users to inject PHP code in files generated by Wato for NagVis integration. The code would be executed once a request to the respective NagVis component is made. The underlying reason for this issue was that user data entered in Wato was not properly sanitized when writing to the PHP file. We thank Stefan Schiller (SonarSource) for reporting this issue. Affected Versions: All currently supported versions are affected: 1.6, 2.0, and 2.1. Mitigations: As an immediate mitigation you can entirely disable PHP on your server. Note that NagVis will not work anymore without PHP. Indicators of Compromise: Malicious code is injected in either of the files <tt>var/check_mk/wato/auth/auth.php</tt> or <tt>var/check_mk/wato/php-api/hosttags.php</tt>. Check these files for suspicious code. Vulnerability Management: We have rated the issue with a CVSS Score of 9.1 (Critical) with the following CVSS vector: <tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L</tt>. A CVE has been requested. Changes: This Werk fixes the vulnerability by improving sanitization.

1 year, 11 months

Checkmk Werk 14381: Fix command injection in SMS notification script

by Hannes Rantzsch

ID: 14381 Title: Fix command injection in SMS notification script Component: Notifications Level: 1 Class: Security fix Version: 2.2.0i1 Previous to this Werk it was possible to inject arbitrary shell commands when sending SMS notifications. For this, attackers would have needed to place a crafted string in a user's Pager Address, which was not properly escaped by the SMS script. In most setups, this issue will not be exploitable: Changing a user's Pager Address requires the User Management permission. Users with that permission are effectively Administrators and can thus already legitimately execute code in the Site context. Note however, that in some setups the attribute can also be configured by external interfaces, for example via LDAP User Synchronization. Affected Versions: All currently supported versions are affected: 1.6, 2.0, and 2.1. Mitigations: As an immediate mitigation all notifications via the method "SMS (using smstools)" can be disabled. Note that users' personal notification rules are affected as well. Indicators of Compromise: If you suspect this issue might have been exploited in your installation, validate users' Pager Address fields. Check the Audit Log for changes to this field. Vulnerability Management: We have rated the issue with a CVSS Score of 8.0 (High) with the following CVSS vector: <tt>CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>. A CVE has been requested. Changes: This Werk replaces a hazardous call to <tt>os.system</tt> by a safer alternative and adds additional validation to the Pager Address before attempting to send SMS to it. Valid Pager Addresses may now include letters, numbers, space characters, any of the characters <tt>. / - ()</tt>, as well as a <tt>+</tt> character at the beginning.

1 year, 11 months

Checkmk Werk 13955: Add graph data endpoint to the REST API

by Philipp Siegmantel

ID: 13955 Title: Add graph data endpoint to the REST API Component: REST API Level: 1 Class: New feature Version: 2.2.0i1 The REST API now has endpoints for querying graph data. They are analogous to the Web API endpoint. If you have any calls to ".../cmk/check_mk/webapi.py?action=get_graph...", please use the REST endpoint ("/domain-types/graph/actions/get_*_graph/invoke") instead. Please note that the request and response schemas differ from the Web API and any client code should be adjusted accordingly. Further details about the schemas can be found in the documentation of respective endpoints

1 year, 11 months

Checkmk Werk 14484: Add password strength meter

by Maximilian Wirtz

ID: 14484 Title: Add password strength meter Component: Setup Level: 1 Class: New feature Version: 2.2.0i1 When changing the password or creating a new user you now see a password strength meter indicating a estimation of the password strength.

1 year, 11 months

Checkmk Werk 14732: cmk-update-agent: Retry locking

by Andreas Umbreit

ID: 14732 Title: cmk-update-agent: Retry locking Component: agents Level: 1 Class: Bug fix Version: 2.2.0i1 The agent updater is designed to have no more than one instance running at a time on a host. This is implemented by holding a file lock while running. We recently observed that a lock may sometimes fail briefly after it was released by a previous agent updater instance, possibly due to some anti virus software. To mitigate this situation, the locking is now retried 10 times before aborting the agent updater call.

1 year, 11 months

Checkmk Werk 14762: mk_postgres.py: instances not found under Linux for PostgreSQL version >= 13

by Lisa Pichler

ID: 14762 Title: mk_postgres.py: instances not found under Linux for PostgreSQL version >= 13 Component: Checks & agents Level: 1 Class: Bug fix Version: 2.2.0i1 This fix only applies when your PostgreSQL server runs under Linux. The plugin "mk_postgres.py" does not find any instances when PostgreSQL version >= 13 is installed. This has been fixed. If you require this fix, please update the agent plugin "mk_postgres.py" on the relevant host. The problem was that in this version, the output of the "ps" command does not include the full path to the relevant binaries, and therefore they could not be correctly identified as PostgreSQL processes. For example: [PID] /usr/bin/postmaster [OPTS] --> [PID] postmaster [OPTS]

1 year, 11 months

Checkmk Werk 14771: Fix ping endpoint for InfluxDB

by Mathias Laurin

ID: 14771 Title: Fix ping endpoint for InfluxDB Component: Core & setup Level: 1 Class: Bug fix Version: 2.2.0i1 The InfluxDB connector checks whether a connection is possible over the "ping" endpoint. Before, the connector erroneously used the /api/v2/ping endpoint, which has stopped working in recent versions of the API. Now, it correctly uses the documented /ping endpoint.

1 year, 11 months

Checkmk Werk 14553: Prometheus: Bad request url /api/v1/api/v1/status/buildinfo

by Solomon Jacobs

ID: 14553 Title: Prometheus: Bad request url /api/v1/api/v1/status/buildinfo Component: Checks & agents Level: 1 Class: Bug fix Version: 2.2.0i1 Previously, the Prometheus special agent would query endpoints, which don't exist. This would (depending on the the HTTP response of the server) result in the following error C+: [special_prometheus] Agent exited with code 1: 400 Client Error: Bad Request for url: http://127.0.0.1:8428/api/v1/api/v1/status/buildinfo(!!) C-: Moreover, the buildinfo would sometimes be incomplete. Note, the new error is a regression introduced in werk 14132. With this werk, the Prometheus agent queries the endpoints C+: /api/v1/status/buildinfo /api/v1/status/runtimeinfo C-:

1 year, 11 months

Checkmk Werk 14505: heartbeat_crm_resources: services not discovered under pacemaker version >= 2

by Lisa Pichler

ID: 14505 Title: heartbeat_crm_resources: services not discovered under pacemaker version >= 2 Component: Checks & agents Level: 1 Class: Bug fix Version: 2.2.0i1 The check heartbeat_crm_resources would not discover any services when pacemaker version >= 2 is installed on the host system. This is for example the case with RHEL8. This has been fixed. The problem was due to the fact that newer versions of pacemaker show heartbeat information in a different format.

1 year, 11 months

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1 August 2022