ID: 15629
Title: McAfee Web Gateway: New Plugins for HTTP Client Requests
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
There are three new plugins
LI: <tt>mcafee_webgateway_http_client_requests</tt>
LI: <tt>mcafee_webgateway_https_client_requests</tt>
LI: <tt>mcafee_webgateway_httpv2_client_requests</tt>
which monitor the client request rate for HTTP, HTTPS and HTTPv2, respectively.
ID: 15890
Title: user: read permissions are now checked in the request schema before delete/edit/create user
Component: REST API
Level: 1
Class: Security fix
Version: 2.3.0b1
Prior to this Werk an authenticated user was able to enumerate username with the RestAPI.
We found this vulnerability internally.
<b>Affected Versions</b>:
LI: 2.2.0
<b>Indicators of Compromise</b>:
You can check <tt>var/log/apache/access_log</tt> for a unusual amount of requests to the user_config RestAPI endpoints.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 4.4 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</tt>.
We assigned CVE-2023-22359 to this vulnerability.
<b>Changes</b>:
When calling either of the following endpoints, a 401 will be returned if
the client user doesn't have permission to read users.
POST /domain-types/user_config/collections/all
PUT /objects/user_config/{username}
DELETE /objects/user_config/{username}
ID: 15765
Title: check_temperature: Fix misleading service details in temperature checks
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.0.0p37
In case the state from the device wasn't OK, thresholds from the device were
appended to the service details, e.g. '46 °C, warning (device warn/crit at 56/56 °C)'.
This suggests that the temperature value exceeds the threshold, which isn't the case.
To make it clearer, the service details are changed to: '46 °C, State on device: warning'
in this case.
ID: 15766
Title: local: Better error handling for incorrect local checks
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
Previously, the discovery service would crash in case of incorrect
lines in the local check section. This prevented all other local services
with correct format from being discovered.
Now, the discovery service no longer crashes, the faulty local service is
discovered and it crashes with a helpful message. All other local services
are discovered and their state isn't influenced by the incorrect service.
In case when the item can't be determined from the local section line, the
line is completely ignored.
ID: 15633
Title: cisco_fru_module_status: '14' is not a valid PhysicalClasses
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
Previously, the plugin <tt>cisco_fru_module_status</tt> would raise the error
C+:
ValueError ('14' is not a valid PhysicalClasses)
C-:
while parsing the section. With this Werk, the crash no longer occurs.
The state '14' is now remapped to 'unknown'. Note, that the MIB v2/ENTITY-MIB.my does not list the
state '14', so may we might have to update this mapping, if Cisco aligns their MIBs with the
behaviour of their devices.
ID: 15891
Title: ical_import: .ical files are now imported using the icalendar package
Component: Setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
When importing .ical files, the icalendar package is now responsible for
parsing the contents.
ID: 15632
Title: check_http: Fix Option Enforce IPv4 Properly
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
In Werk 15621, the behaviour of <tt>Enforce IPv4</tt> was changed. Existing rules have been
migrated to a new option (with the old behaviour). However, the selection of the option <tt>Enforce
IPv4</tt> in the user interface did not work properly. It resulted in the following crash
C+:
ValueError('ipv4_enforced' is not a valid Family)
C-:
This Werk fixes the selection.
ID: 15764
Title: xinetd: Migrate old xinetd service if template file exists
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
Previously, the cleanup function didn't do the migration of an old
xinetd service if /etc/check_mk/xinetd-service-template.cfg was present.