[//]: # (werk v2)
# Split old audit log files larger 300MB on update
key | value
---------- | ---
date | 2024-06-14T07:49:42+00:00
version | 2.3.0p7
class | fix
edition | cre
component | wato
level | 1
compatible | yes
Since 2.3.0 the wato audit log files are logrotated at a size of 300MB.
The update should take care of files bigger than 300MB but looked for files
greater 400MB in earlier versions.
This has now been adjusted to the size the logrotate happens.
[//]: # (werk v2)
# huawei_osn_laser: Fix parsing issue
key | value
---------- | ---
date | 2024-06-17T15:20:33+00:00
version | 2.3.0p7
class | fix
edition | cre
component | checks
level | 1
compatible | yes
Fixed a parsing issue in the huawei_osn_laser check plugin.
The problem appeared every time a serivce was supposed to have an OK state and caused the check plugin to crash, and thus not deliver any result.
The crash report ended with this line:
C+:
if "\n" in subresult[1]:
C-:
This has now been fixed.
[//]: # (werk v2)
# Fix XSS in confirmation pop-up
key | value
---------- | ---
date | 2024-06-10T10:40:28+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
*Indicators of Compromise*:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.
[//]: # (werk v2)
# Fix XSS in Crash Report Page
key | value
---------- | ---
date | 2024-06-06T13:17:36+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Indicators of Compromise*:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`.
and assigned `CVE-2024-28832`.
[//]: # (werk v2)
# Synthetic Monitoring: Let test services go stale if no merged XML data is available
key | value
---------- | ---
date | 2024-06-17T09:57:45+00:00
version | 2.3.0p7
class | fix
edition | cee
component | checks
level | 1
compatible | yes
If the rebot command fails on a test node or if all attempts time out, no merged XML data is
available on the Checkmk server. In this case, the corresponding plan service will report the
standard message "Item not found in monitoring data" and go UNKNOWN. Before this werk, the test
services behaved in the same way. As of this werk, they instead go stale, which is the intended
behavior.
[//]: # (werk v2)
# Nutanix agent: improve error handling during fetch
key | value
---------- | ---
date | 2024-06-18T10:47:59+00:00
version | 2.3.0p7
class | fix
edition | cre
component | checks
level | 1
compatible | yes
This werk improves the error handling when the agent is executed.
Prior to this change, the Check_MK service displayed that a Crash
Report should be submitted whenever the agent failed to retrieve
the data. This has been changed with this werk.
[//]: # (werk v2)
# Fix XSS in confirmation pop-up
key | value
---------- | ---
date | 2024-06-10T10:40:28+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, there was a potential for HTML elements from user inputs to be rendered in certain confirmation pop-ups, leading to an XSS vulnerability.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
*Indicators of Compromise*:
Injected HTML elements in some specific user input fields with no proper escaping that are displayed in the confirmation pop-up.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N`, and assigned `CVE-2024-28831`.
[//]: # (werk v2)
# huawei_osn_laser: Fix parsing issue
key | value
---------- | ---
date | 2024-06-17T15:20:33+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
Fixed a parsing issue in the huawei_osn_laser check plugin.
The problem appeared every time a serivce was supposed to have an OK state and caused the check plugin to crash, and thus not deliver any result.
The crash report ended with this line:
C+:
if "\n" in subresult[1]:
C-:
This has now been fixed.
[//]: # (werk v2)
# Fix XSS in Crash Report Page
key | value
---------- | ---
date | 2024-06-06T13:17:36+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk, it was possible to inject HTML elements into Crash report
URL in the Global settings, leading to an `XSS` vulnerability in the Crash reports page.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Indicators of Compromise*:
Check the crash report HTTP URL in the Global settings for suspicious HTML elements.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 4.8 Medium with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N`.
and assigned `CVE-2024-28832`.
[//]: # (werk v2)
# Synthetic Monitoring: Let test services go stale if no merged XML data is available
key | value
---------- | ---
date | 2024-06-17T09:57:45+00:00
version | 2.4.0b1
class | fix
edition | cee
component | checks
level | 1
compatible | yes
If the rebot command fails on a test node or if all attempts time out, no merged XML data is
available on the Checkmk server. In this case, the corresponding plan service will report the
standard message "Item not found in monitoring data" and go UNKNOWN. Before this werk, the test
services behaved in the same way. As of this werk, they instead go stale, which is the intended
behavior.