Werk 16599 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
Version: 2.1.0p42
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
------------------------------------<diff>-------------------------------------------
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
Werk 16455 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix metric scaling of 'rta' for Nagios plugin integration 'check_ping'
Class: fix
Compatible: compat
Component: multisite
Date: 1709824147
Edition: cre
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: Fix metric scaling of 'rta' for Nagios plugin integration 'check_ping'
Class: fix
Compatible: compat
Component: multisite
Date: 1709824147
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16447 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix inventory sync of subsequent hosts if a previous one has invalid data
Class: fix
Compatible: compat
Component: liveproxy
Date: 1707132754
Edition: cee
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: Fix inventory sync of subsequent hosts if a previous one has invalid data
Class: fix
Compatible: compat
Component: liveproxy
Date: 1707132754
Edition: cee
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16238 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Add m7i.large as aws resource type
Class: feature
Compatible: compat
Component: checks
Date: 1709038229
Edition: cre
Level: 1
Version: 2.1.0p42
You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large".
The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future.
But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources.
------------------------------------<diff>-------------------------------------------
Title: Add m7i.large as aws resource type
Class: feature
Compatible: compat
Component: checks
Date: 1709038229
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
You're affected if your aws_ec2_limits check reported "Unknown resource" and you're using "m7i.large".
The aws resource names are changing from time to time and we will need to find a more stable solution for that in the future.
But for now, this will be fixed by adding the resource name "m7i.large" to our internal list of aws resources.
Werk 16502 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: dcd: resolve log error in case of discovery timeouts
Class: fix
Compatible: compat
Component: dcd
Date: 1709716462
Edition: cee
Level: 1
Version: 2.1.0p42
------------------------------------<diff>-------------------------------------------
Title: dcd: resolve log error in case of discovery timeouts
Class: fix
Compatible: compat
Component: dcd
Date: 1709716462
Edition: cee
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
Werk 16239 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Extend devices found by apc_ats_status
Class: fix
Compatible: compat
Component: checks
Date: 1709123851
Edition: cre
Level: 1
Version: 2.1.0p42
This werk affects you, in case you try to monitor your APC Rack Automatic Transfer Switch with <tt>apc_ats_status</tt>.
Previously some devices were not discovered due to a too strict scan function.
Futher, we enable monitoring other power supplies available at such devices as for example 1V and 3.3V.
This was fixed now.
------------------------------------<diff>-------------------------------------------
Title: Extend devices found by apc_ats_status
Class: fix
Compatible: compat
Component: checks
Date: 1709123851
Edition: cre
Level: 1
- Version: 2.1.0p41
? ^
+ Version: 2.1.0p42
? ^
This werk affects you, in case you try to monitor your APC Rack Automatic Transfer Switch with <tt>apc_ats_status</tt>.
Previously some devices were not discovered due to a too strict scan function.
Futher, we enable monitoring other power supplies available at such devices as for example 1V and 3.3V.
This was fixed now.
Werk 16234 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.1.0p41
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
------------------------------------<diff>-------------------------------------------
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^ -
+ Version: 2.1.0p41
? ^ +
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
+ 2.3.0 (beta)
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_informix: Do not allow privilege escalation
Class: security
Compatible: compat
Component: checks
Date: 1709909870
Edition: cre
Level: 1
Version: 2.1.0p41
The informix database monitoring plugin would previously <code>eval</code> statements parsed from <code>$INFORMIXDIR/bin/onstat</code>. Since the plugin is usually run as root, this could cause statements injected in <code>$INFORMIXDIR/bin/onstat</code> to be run as root as well.
By adding scripts named the same as other functionality found in <code>$PATH</code> to <code>$INFORMIXDIR/bin</code>, <code>$PATH</code> functionality could also be overshadowed and the custom executed as root.
Finally, <code>$INFORMIXDIR/bin/onstat</code> would be executed as root, allowing a substituted script to be run with elevated privileges.
With this werk, the environment variables will be exported instead and <code>$PATH</code> will now be searched before <code>$INFORMIXDIR/bin</code>.
The plugin will now also check if <code>$INFORMIXDIR/bin/onstat</code> belongs to root if the plugin is executed as root. If not, it will be executed as the user owning the executable.
This issue was found during internal review.
<em>Affected Versions</em>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code> and assigned CVE <code>CVE-2024-28824</code>.
Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.2.0p24
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.1.0p41
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.