Checkmk werks level1 July 2024

checkmk-werks-lvl1@lists.checkmk.com

1 participants
398 discussions

[2.2.0] Checkmk Werk 17011 adapted: Fix local IP restriction of internal HTTP endpoints

by Checkmk werks level 1

Werk 17011 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Fix local IP restriction of internal HTTP endpoints Class: security Compatible: compat Component: wato Date: 1718804769 Edition: cre Level: 1 Version: 2.2.0p32 Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page. These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications. Therefore these pages are protected to be only accessible locally. In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the <code>X-Forwarded-For</code> header. That header is added and complemented by <code>mod_proxy</code> and usually trustworthy. When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header. To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost. This mitigation failed due to some outdated configuration and wrong configuration ordering. This only affects systems which expose the site apache port to the network typically 5000. If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected! This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well) Mitigations: You can add the following configuration to the site apache configuration, e.g. <code>etc/apache/conf.d/zzz_werk17011.conf</code>: C+: <Location "/###SITE###/check_mk/run_cron.py"> Order deny,allow Deny from all Require local Satisfy any </Location> # Webservice for graph images used by notifications <Location "/###SITE###/check_mk/ajax_graph_images.py"> Order deny,allow Deny from all Require local Satisfy any </Location> C-: Indicators of Compromise: You can check the apache access log <code>var/log/apache/access_log</code> for calls to <code>run_cron.py</code> or <code>ajax_graph_images.py</code> from network hosts. E.g. <code>grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log</code> Vulnerability Management: We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>. We assigned CVE-2024-6163 to this vulnerability. Changes: This Werk fixes the configuration syntax and ordering. ------------------------------------<diff>------------------------------------------- Title: Fix local IP restriction of internal HTTP endpoints Class: security Compatible: compat Component: wato Date: 1718804769 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page. These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications. Therefore these pages are protected to be only accessible locally. In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the <code>X-Forwarded-For</code> header. That header is added and complemented by <code>mod_proxy</code> and usually trustworthy. When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header. To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost. This mitigation failed due to some outdated configuration and wrong configuration ordering. This only affects systems which expose the site apache port to the network typically 5000. If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected! This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. Affected Versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well) Mitigations: You can add the following configuration to the site apache configuration, e.g. <code>etc/apache/conf.d/zzz_werk17011.conf</code>: C+: <Location "/###SITE###/check_mk/run_cron.py"> Order deny,allow Deny from all Require local Satisfy any </Location> # Webservice for graph images used by notifications <Location "/###SITE###/check_mk/ajax_graph_images.py"> Order deny,allow Deny from all Require local Satisfy any </Location> C-: Indicators of Compromise: You can check the apache access log <code>var/log/apache/access_log</code> for calls to <code>run_cron.py</code> or <code>ajax_graph_images.py</code> from network hosts. E.g. <code>grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log</code> Vulnerability Management: We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>. We assigned CVE-2024-6163 to this vulnerability. Changes: This Werk fixes the configuration syntax and ordering.

2 months

[2.2.0] Checkmk Werk 17078 adapted: MS Exchange: Use consistent units (ms/s) in rules & graphs

by Checkmk werks level 1

Werk 17078 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: MS Exchange: Use consistent units (ms/s) in rules & graphs Class: fix Compatible: compat Component: checks Date: 1720433457 Edition: cre Level: 1 Version: 2.2.0p32 The checks msexch_isclienttype, msexch_isstore, msexch_rpcclientaccess reported their values in ms in the summary/ruleset but displayed the same value as seconds in the graph. With this werk, all MS Exchange checks now report their values consistently. ------------------------------------<diff>------------------------------------------- Title: MS Exchange: Use consistent units (ms/s) in rules & graphs Class: fix Compatible: compat Component: checks Date: 1720433457 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ The checks msexch_isclienttype, msexch_isstore, msexch_rpcclientaccess reported their values in ms in the summary/ruleset but displayed the same value as seconds in the graph. With this werk, all MS Exchange checks now report their values consistently.

2 months

[2.2.0] Checkmk Werk 17091 adapted: missing error message for wrong backup key password

by Checkmk werks level 1

Werk 17091 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: missing error message for wrong backup key password Class: fix Compatible: compat Component: wato Date: 1719924608 Edition: cre Level: 1 Version: 2.2.0p32 When a wrong password was entered for downloading a backup encryption key or a signature key for signing agents, an empty error message box was displayed. Now, the error message is displayed correctly. ------------------------------------<diff>------------------------------------------- Title: missing error message for wrong backup key password Class: fix Compatible: compat Component: wato Date: 1719924608 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ When a wrong password was entered for downloading a backup encryption key or a signature key for signing agents, an empty error message box was displayed. Now, the error message is displayed correctly.

2 months

[2.2.0] Checkmk Werk 16533 adapted: Event Console fix regex match in rule text

by Checkmk werks level 1

Werk 16533 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Event Console fix regex match in rule text Class: fix Compatible: compat Component: ec Date: 1719847864 Edition: cee Level: 1 Version: 2.2.0p32 Event console method compile_matching_value had a typo which caused a valid regex to not match, because it was sent as a string SUP-19224 ------------------------------------<diff>------------------------------------------- Title: Event Console fix regex match in rule text Class: fix Compatible: compat Component: ec Date: 1719847864 Edition: cee Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Event console method compile_matching_value had a typo which caused a valid regex to not match, because it was sent as a string SUP-19224

2 months

[2.2.0] Checkmk Werk 16526 adapted: password: the response schema now matches what is returned

by Checkmk werks level 1

Werk 16526 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: password: the response schema now matches what is returned Class: fix Compatible: compat Component: rest-api Date: 1709803120 Edition: cre Level: 1 Version: 2.2.0p32 This werk addresses an issue with the REST-API password endpoint response. The response schema listed the title and the ident as fields that should be returned but we were not returning them as part of the password object. These have now been removed from the schema. Also, the members field was returning invalid information and hence has been removed. ------------------------------------<diff>------------------------------------------- Title: password: the response schema now matches what is returned Class: fix Compatible: compat Component: rest-api Date: 1709803120 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ This werk addresses an issue with the REST-API password endpoint response. The response schema listed the title and the ident as fields that should be returned but we were not returning them as part of the password object. These have now been removed from the schema. Also, the members field was returning invalid information and hence has been removed.

2 months

[2.2.0] Checkmk Werk 17079 adapted: mk_redis: Autodetect Checkmk instances

by Checkmk werks level 1

Werk 17079 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: mk_redis: Autodetect Checkmk instances Class: fix Compatible: compat Component: checks Date: 1718695661 Edition: cre Level: 1 Version: 2.2.0p32 Previously the redis agent plugin configured to autodetect would not detect the Checkmk redis instances. Now, on hosts running a Checkmk site, these instances can be autodetected as well and monitored as any other redis instance. ------------------------------------<diff>------------------------------------------- Title: mk_redis: Autodetect Checkmk instances Class: fix Compatible: compat Component: checks Date: 1718695661 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Previously the redis agent plugin configured to autodetect would not detect the Checkmk redis instances. Now, on hosts running a Checkmk site, these instances can be autodetected as well and monitored as any other redis instance.

2 months

[2.2.0] Checkmk Werk 16999 adapted: Service check commands exclamation mark is no more escaped

by Checkmk werks level 1

Werk 16999 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Service check commands exclamation mark is no more escaped Class: fix Compatible: compat Component: multisite Date: 1717399158 Edition: cre Level: 1 Version: 2.2.0p32 Previously instead of "!" the GUI displayed "!" when rendering a service check command. This is fixed to rendering unescaped service check commands to the GUI. ------------------------------------<diff>------------------------------------------- Title: Service check commands exclamation mark is no more escaped Class: fix Compatible: compat Component: multisite Date: 1717399158 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Previously instead of "!" the GUI displayed "!" when rendering a service check command. This is fixed to rendering unescaped service check commands to the GUI.

2 months

[2.2.0] Checkmk Werk 17063 adapted: Delete PDF tmp files older one day

by Checkmk werks level 1

Werk 17063 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Delete PDF tmp files older one day Class: fix Compatible: compat Component: wato Date: 1720422296 Edition: cre Level: 1 Version: 2.2.0p32 Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted files older 48hours. Now files older than one day are deleted. ------------------------------------<diff>------------------------------------------- Title: Delete PDF tmp files older one day Class: fix Compatible: compat Component: wato Date: 1720422296 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted files older 48hours. Now files older than one day are deleted.

2 months

[2.2.0] Checkmk Werk 16753 adapted: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster

by Checkmk werks level 1

Werk 16753 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster Class: fix Compatible: compat Component: multisite Date: 1719844378 Edition: cre Level: 1 Version: 2.2.0p32 ------------------------------------<diff>------------------------------------------- Title: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster Class: fix Compatible: compat Component: multisite Date: 1719844378 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^

2 months

[2.2.0] Checkmk Werk 16439 adapted: redis: Add Log Rotation

by Checkmk werks level 1

Werk 16439 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: redis: Add Log Rotation Class: fix Compatible: compat Component: omd Date: 1720420406 Edition: cre Level: 1 Version: 2.2.0p32 Previously, the file <code>var/log/redis-server.log</code> would not be rotated. If you are unable to upgrade, you can adjust the file in <code>$OMD_ROOT/etc/logrotate.d/redis</code>. ------------------------------------<diff>------------------------------------------- Title: redis: Add Log Rotation Class: fix Compatible: compat Component: omd Date: 1720420406 Edition: cre Level: 1 - Version: 2.2.0p31 ? ^ + Version: 2.2.0p32 ? ^ Previously, the file <code>var/log/redis-server.log</code> would not be rotated. If you are unable to upgrade, you can adjust the file in <code>$OMD_ROOT/etc/logrotate.d/redis</code>.

2 months

← Newer
1
...
15
16
17
18
19
20
21
...
40
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1 July 2024