ID: 15151
Title: azure_storageaccounts: Fix aggregation type and units in performance check
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
There were several bugs in the Azure Storage performance check plugin.
Success server latency and End-to-end server latency had no units in the service
summary and showed wrong units in the metrics. The aggregation of all three
metrics was wrong, total instead of avergage, which led to incorrect values
being shown.
ID: 15279
Title: Expose version and edition via HTTP-headers
Component: REST API
Level: 1
Class: New feature
Version: 2.3.0b1
The HTTP-headers "x-checkmk-edition" and "x-checkmk-version" are used to expose
the checkmk version and edition on all authenticated REST-API HTTP-responses.
ID: 14586
Title: gcp_status: Monitor GCP Status
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
With this werk, it is possible to monitor the GCP Health Dashboard,
available at https://status.cloud.google.com/. Since this
site is publicly available, no authentication is required for this
monitoring.
This feature consists of a special agent, agent_gcp_status, and a new
check, gcp_status. The special agent can be configured via the rule
Google Cloud Platform (GCP) Status.
ID: 15068
Title: Fix improper certificate validation in agent updater
Component: agents
Level: 1
Class: Security fix
Version: 2.3.0b1
The compiled version of the agent-updater uses its own collection of trusted Certificate Authorities.
This collection comes from the Python package certifi and is based on the collection of Mozilla Firefox.
The used Python package and therefore the collection was outdated and is subject to CVE-2022-23491.
This collection included a CA certificate of TrustCor which is not considered trustworthy anymore.
(See: https://security.googleblog.com/2023/01/sustaining-digital-certificate-secu…)
If an attacker was able to create certificates for arbitrary domains signed by this CA, machine-in-the-middle attacks could be possible.
To mitigate this vulnerability please update and rollout the agent-updater (typical agent-update is sufficient).
If an update is currently not possible one can set the <tt>Certificates for HTTPS verification</tt> option for the agent updater.
If this option is set a custom list of trusted certificates is used to verify the HTTPS connection instead of the CA collection.
All versions up to 1.6 are vulnerable.
This vulnerability was found internally.
We calculated a CVSS 3.1 score of 6.2 (medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:R
Please note that we rate this rather low since this is more a hypothetical attack and no wrong-doing of the CA was ever proven.
ID: 15067
Title: Show if user is locked
Component: Setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
With this Werk a user that is locked will be informed that the account is locked.
Previously it was only shown that the login was invalid and lead users to more login attempts.
ID: 13628
Title: Dashboards: New cloud dashboards for storage services on AWS, Azure and GCP
Component: Multisite
Level: 1
Class: New feature
Version: 2.3.0b1
ID: 15152
Title: Fix crash in mk-job.solaris
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
mk-job.solaris started crashing in version 2.1.p1 with an error:
"exit: : numeric argument required".