ID: 14572
Title: Prometheus: Deprecation of `kube-state-metrics` scrape target
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
The Prometheus agent provides the `kube-state-metrics` as a possible data source. This in turn would
enable the following checks.
<ul>
<li>k8s_resources</li>
<li>k8s_namespaces</li>
<li>k8s_conditions</li>
<li>k8s_pod_container</li>
<li>k8s_service_info</li>
<li>k8s_daemon_pods</li>
</ul>
However, these checks are no longer actively maintained, since they have been superseded by their
counterparts in the Kubernetes agent. Moreover, the `kube-state-metrics` target
<ul>
<li>does not support new versions of kube-state-metrics (v2.0.0-alpha / 2020-09-16 or newer),</li>
<li>does not provide the information required to fully support monitoring and</li>
<li>is stricly inferior to monitoring via the Kubernetes agent.</li>
</ul>
For this reason, this option will be removed in Checkmk 2.3.0.
If you are affected by this change, you need to setup your monitoring as per these instructions:
https://docs.checkmk.com/latest/en/monitoring_kubernetes.html
ID: 15169
Title: host_config & folder_config: fix validation for remove_attributes when using custom attributes
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Prior to this werk, the REST-API returned a 400 error when a custom attribute was provided
in the remove_attributes field in the update endpoint. This werk fixes this error by passing
the validation mechanism to the endpoint.
ID: 15167
Title: folder_config: fix querying a folder with invalid time in network scan option
Component: REST API
Level: 1
Class: Bug fix
Version: 2.2.0i1
Prior to this werk, the REST-API raised an error when the user tried to query a folder
config which had the network scan option configured with 24:00 in one its time ranges.
This werk fixes this behaviour.
ID: 15108
Title: Broken links in service summaries
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Links rendered in service summaries where not clickable if another result followed the link.
ID: 14394
Title: Changing password fails when a password policy is enforced
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
When a password policy (e.g. minumum length) was configured users could not change their passwords due to an internal error.
Affected users would see the error message `Internal error: object of type 'Password' has no len()`.
This is now fixed.
ID: 15166
Title: KUBE: addition of available to StatefulSets replicas
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
This werk adds the available replicas field of the StatefulSets to the
<tt>kube_replicas</tt> check plugin. Similar to the ready replicas, the not available
duration threshold can be configured via the check plugin's rule.
ID: 14768
Title: mssql.vbs: some database specific sections contain data from a different database
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
If you require this fix, you must reinstall the agent plugin "mssql.vbs" on the
relevant hosts.
Please note that applying this fix could lead to vanished services. If this is
the case, it makes sense to remove them from your monitoring, as these services
belong to a different database and have been falsely created. You can find
detailed error messages in the host's agent output.
In some settings the user that is used to run queries against the various
databases on a MSSQL server does not have access rights to query all databases.
This could lead to data from a different database shown for any database that
the user could not query.
Known services affected by this error:
LI: tablespaces
LI: transactionlogs
LI: datafiles
LI: clusters
The problem was that the error after attempting to switch to a different
database was not captured, and it was assumed to be successful. Instead, the
subsequent query was run against the database the user could last switch to.
If you would like to give the user extended access rights to query all
databases, please read the article at https://kb.checkmk.com/x/pAKqAg
We have introduced a more consistent way to perform queries against the system
and handle any errors.
ID: 15065
Title: Path-Traversal in MKP storing
Component: Other Components
Level: 1
Class: Security fix
Version: 2.2.0i1
Previous to this Werk it was possible that an authenticated user with admin rights uploads a malicious MKP leading to a file creation with an attacker controlled path.
We thank Niko Wenselowsk (SVA) for reporting this issue.
<b>Affected versions are:</b>
LI: 2.0.0 previous to this Werk
LI: 2.1.0 previous to this Werk
LI: 1.6.0 is not affected
<b>Detection possibilities:</b>
A audit log is written when an extension package is uploaded.
You can look for a entry with <tt>Uploaded extension package</tt> follwed by a package name and version containing sequences of <tt>../</tt>.
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.5 (low) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L.
We assigned CVE-2022-4884 to this vulnerability.
ID: 15064
Title: Agent updater checks for certificate validity
Component: agents
Level: 1
Class: New feature
Version: 2.2.0i1
The agent updater now reports about the status of the trusted certificates for agent signatures.
The status of those certificates is then checked by the service <i>Check_MK Agent</i> as follows:
LI: Warn if a certificate is corrupt
LI: Warn if a certificate is not valid anymore
LI: Warn if a certificate is about to become invalid
LI: Crit if there is no trusted certificate
LI: Warn/Crit if there will be no valid cert in 90/30 days.