ID: 14744
Title: Fix reload of graph dashlets in dashboards
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
Graph dashlets used in dashboards were not refreshed correctly since 2.1 if the
graph used a timerange option with "The last".
ID: 14678
Title: mk_docker is docker >=6.0.0 compatible
Component: agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The mk_docker plugin now works with docker version 6 or later.
Previously, the plugin would fail with a message that the module docker.version was not json serializable.
ID: 14680
Title: Fix crash in heartbeat_crm plugin
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The heartbeat_crm check would crash with a KeyError when the rule "Heartbeat CRM general status" was not set.
ID: 14385
Title: Fix limited SSRF in agent-receiver API
Component: Core & setup
Level: 1
Class: Security fix
Version: 2.2.0i1
Prior to this Werk attackers could use the host registration API for Server Side Request Forgery.
An attacker would have been able to make the Checkmk server issue local requests to endpoints that should only be accessible from localhost.
In order to exploit this vulnerability attackers would have needed the privileges to register hosts.
This vulnerability was caused by insufficient sanitization of the hostname of the host to be registered.
We thank Stefan Schiller (SonarSource) for reporting this issue.
<b>Affected Versions</b>:
2.1
<b>Mitigations</b>:
The affected API can be disabled using <tt>omd stop agent-receiver</tt>.
Note however, that this makes it impossible to register new hosts.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 5.0 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
A CVE has been requested.
<b>Changes</b>:
This Werk adds validation for the hostname and ensures hostnames are escaped in requests to the REST API.
ID: 14677
Title: Remove item_name and item_help keywords from CheckParameterRulespecWithItem
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
This change might break existing MKPs.
The CheckParameterRulespecWithItem class does not accept the item_name and item_help keywords any longer.
Instead item_spec should be used.
Before this werk the following was valid to register a new rulespec.
C+:
rulespec_registry.register(
CheckParameterRulespecWithItem(
check_group_name="a_check",
item_name="fitting item name",
item_help="inline help test",
group=RulespecGroupCheckParametersApplications,
parameter_valuespec=_parameter_valuespec_network,
title=lambda: "A good title",
)
)
C-:
This should be rewritten as:
C+:
rulespec_registry.register(
CheckParameterRulespecWithItem(
check_group_name="a_check",
item_spec=lambda: TextInput(title="fitting item name", help="inline help text"),
group=RulespecGroupCheckParametersApplications,
parameter_valuespec=_parameter_valuespec_network,
title=lambda: "A good title",
)
)
C-:
ID: 14766
Title: mk_mongodb.py: mongodb_instace section shows information from a different host
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The agent plugin "mk_mongodb.py" creates the section "mongodb_instance". In
some cases, this section contains information from a different host (i.e.
replica) from within the MongoDB cluster than the one on which the agent plugin
is located. The problem was that the connection settings did not specify to
connect to the host directly. Therefore, requests were distributed across the
cluster by MongoDB. This has been fixed. If this fix is required, the agent
plugin must be redeployed to the hosts.
ID: 14765
Title: mk_mongodb.py: primary host is listed under active secondaries
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The plugin "mk_mongodb.py" provides the section "mongodb_replica", which
contains information on the MongoDB primary, secondaries, and arbiters. The
primary host was listed as both primary and active secondary. This is also
shown in the corresponding check, "mongodb_replica". This has been fixed.
The fix requires that the agent plugin, "mk_mongodb.py", is updated on the
relevant hosts.
ID: 14741
Title: Use internal folder ID in audit log on moving hosts
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
If hosts were moved between folders, the audit log uses the ID of the folder.
This could lead to unclear log entries if folder were renamed in the past,
because the ID does not change on folder renaming.
We now added the internal ID of the folder for a better understanding of this
log entries.
For example:
"Moved host from "Main directory" (ID: 21016475a7554c11afca66ae620b4c52) to
"myfolder1/myfolder2" (ID: fffa1507d66248cd9da17ac3cc5103d5)"