Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.2.0p18
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: check_mk_agent: Set LC_ALL before running the agent
Class: fix
Compatible: compat
Component: checks
Date: 1704190188
Edition: cre
Level: 1
Version: 2.2.0p18
Previously, Checkmk agents would be run with a preset LC_ALL
environment variable if neither C.UTF-8 or C.utf-8 locales were
installed.
That led to invalid agent output and crashes in section parsing
in multiple checks for some of the locales.
Linux, AIX, Solaris, FreeBSD and OpenWrt agents were affected.
Now, LC_ALL variable is set to C for the described case.
Title: SLA tooltip missing UNKN state
Class: fix
Compatible: compat
Component: multisite
Date: 1704356932
Edition: cee
Level: 1
Version: 2.2.0p18
The SLA tooltip would always show UNKN (0%) even if the state was UNKN.
The corresponding value was aggregated as a PEND state.
Now the UNKN state is displayed correctly.
Title: Abort CMC on irrecoverable filesystem errors
Class: fix
Compatible: compat
Component: cmc
Date: 1704295653
Edition: cee
Level: 1
Version: 2.2.0p18
The errors
LI: too many files open (EMFILE)
LI: too many files open in system (ENFILE)
LI: no buffer space (ENOBUFS)
LI: not enough memory (ENOMEM)
now exit the core. Correct monitoring cannot be
guaranteed when the server is in this state.
Title: Licensing: Allow UI to be used in trial and free state when CMC is not running
Class: fix
Compatible: compat
Component: wato
Date: 1704716713
Edition: cce
Level: 1
Version: 2.2.0p18
When using a CCE in the trial phase or in the free license state, the UI was mostly unusable when the CMC was not running (with the pages showing the error "Cannot connect to 'unix:/omd/sites/monitoring_eval/tmp/run/live'....")
Since the CMC is prohibited from starting if too many services are being monitored in the free license state, this meant that in order to get out of the free state, the license could only be applied via REST-API.
This has now been fixed.
Werk 16164 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: veeam_cdp_jobs: Handle last sync time from the future
Class: fix
Compatible: compat
Component: checks
Date: 1703838299
Edition: cre
Level: 1
Version: 2.2.0p18
Previously, the veeam_cdp_jobs would crash when receiving last
sync time from the future with a message:
C+:
raise ValueError("Cannot render negative timespan")
C-:
Now, the affected service will be in state WARN and report the following message:
C+:
"The timestamp of the file is in the future. Please investigate your host times"
C-:
------------------------------------<diff>-------------------------------------------
Title: veeam_cdp_jobs: Handle last sync time from the future
Class: fix
Compatible: compat
Component: checks
Date: 1703838299
Edition: cre
Level: 1
Version: 2.2.0p18
Previously, the veeam_cdp_jobs would crash when receiving last
sync time from the future with a message:
C+:
raise ValueError("Cannot render negative timespan")
C-:
- Now, the time since the last job run will be 0 for such cases.
+ Now, the affected service will be in state WARN and report the following message:
+ C+:
+ "The timestamp of the file is in the future. Please investigate your host times"
+ C-:
Title: Event Console: Fix events on central site if these events are dedicated for remote sites
Class: fix
Compatible: compat
Component: ec
Date: 1702905058
Edition: cre
Level: 1
Version: 2.2.0p18
Title: KUBE: Addition of support for Kubernetes version 1.28
Class: feature
Compatible: compat
Component: checks
Date: 1697615780
Edition: cre
Level: 1
Version: 2.3.0b1
With this release of Checkmk, we introduce support for version 1.28 of Kubernetes. In Checkmk 2.3,
support for Kubernetes version 1.23 is removed. The supported versions are listed below:
Checkmk 2.2: 1.22, 1.23, 1.24, 1.25, 1.26, 1.27
Checkmk 2.3: 1.24, 1.25, 1.26, 1.27, 1.28
The list of supported versions may not apply to future patch versions. For such cases, a
new werk will be released.
[//]: # (werk v2)
# opsgenie: Fix notification acknowledgement if host or service are back to OK
key | value
---------- | ---
date | 2024-01-05T14:04:50+00:00
version | 2.3.0b1
class | fix
edition | cre
component | notifications
level | 1
compatible | yes
Previously, Opsgenie notification wouldn't acknowledge notifications if
host or service state went back to OK in the meantime.