[//]: # (werk v2)
# Servicenow: Support for update of incidents and cases
key | value
---------- | ---
date | 2024-07-08T10:49:12+00:00
version | 2.4.0b1
class | feature
edition | cee
component | notifications
level | 1
compatible | yes
The notification plugin for Servicenow is now able to update incidents and
cases, so if e.g. a state change from OK to WARN created a ticket, a later
state change from WARN to CRIT will update the incident or case.
Werk 15244 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: New agent configuration: Push mode
Class: feature
Compatible: compat
Component: agents
Date: 1678199258
Edition: cce
Knowledge: undoc
Level: 2
Version: 2.3.0b1
Users of the Checkmk Cloud Edition now have a new mode of operation for the agent controller at their disposal:
The "<i>Push mode</i>".
In the push mode, the Checkmk agent sends the monitoring data to the Checkmk server once per minute.
The agent pushes the data transmission on its own and does not wait for a request from the server.
The push mode is always required if the Checkmk server cannot access the network in which the host to be monitored and its agent are located, for example, in a cloud-based configuration.
More on the setup can be found in our <a href="https://docs.checkmk.com/2.2.0/en/agent_linux.html">user manual</a>.
------------------------------------<diff>-------------------------------------------
Title: New agent configuration: Push mode
Class: feature
Compatible: compat
Component: agents
Date: 1678199258
- Edition: cre
? ^
+ Edition: cce
? ^
Knowledge: undoc
Level: 2
Version: 2.3.0b1
Users of the Checkmk Cloud Edition now have a new mode of operation for the agent controller at their disposal:
The "<i>Push mode</i>".
In the push mode, the Checkmk agent sends the monitoring data to the Checkmk server once per minute.
The agent pushes the data transmission on its own and does not wait for a request from the server.
The push mode is always required if the Checkmk server cannot access the network in which the host to be monitored and its agent are located, for example, in a cloud-based configuration.
More on the setup can be found in our <a href="https://docs.checkmk.com/2.2.0/en/agent_linux.html">user manual</a>.
[//]: # (werk v2)
# infoblox_service: Add support for NIOS 9.X
key | value
---------- | ---
date | 2024-06-18T08:00:25+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | no
With newer infoblox NIOS devices the `IB-PLATFORMONE-MIB::IBServiceName` have
changed. We use these name as service items. Please run a re-discovery on the
affected hosts.
Werk 16562 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Fix automatic host registration and removal in case one remote site is not logged in
key | value
---------- | ---
date | 2024-07-08T06:09:01+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
The automatic host registration and removal jobs are executed regularly in the
background to add or remove hosts. These are fundamental mechanisms to the
automatic host registration.
The jobs failed completely in case one remote site was configured but not logged
in, not only affecting the not logged in site, but all sites. The not logged in
site is now being skipped, leaving the mechanism intact for all other sites.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
- # Fix automatic host removal in case one remote site is not logged in
+ # Fix automatic host registration and removal in case one remote site is not logged in
? +++++++++++++++++
key | value
---------- | ---
date | 2024-07-08T06:09:01+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
- The automatic host removal job is executed regularly in the background to remove
- hosts from the monitoring once they cease to exist. In particular for but not
- limited to automatically registered hosts.
+ The automatic host registration and removal jobs are executed regularly in the
+ background to add or remove hosts. These are fundamental mechanisms to the
+ automatic host registration.
- This job failed in case one remote site was configured but not logged in, not
? ^^ --------
+ The jobs failed completely in case one remote site was configured but not logged
? ^ + +++++++++++
- only affecting the not logged in site, but all sites. The not logged in site is
? --------
+ in, not only affecting the not logged in site, but all sites. The not logged in
? ++++++++
- now being skipped, leaving the mechanism intact for all other sites.
+ site is now being skipped, leaving the mechanism intact for all other sites.
? ++++++++
Werk 17074 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: msexch_database: Use consistent units (ms/s) in rules & graphs
Class: fix
Compatible: compat
Component: checks
Date: 1718695214
Edition: cee
Level: 1
Version: 2.1.0p45
The msexch_database reported its values in ms in the summary/ruleset but
displayed the same value as seconds in the graph. With this werk, all
units will be reported consistently.
------------------------------------<diff>-------------------------------------------
- Title: MS Exchange: Use consistent units (ms/s) in rules & graphs
? ^^^^ ^^
+ Title: msexch_database: Use consistent units (ms/s) in rules & graphs
? ^^^ ++ ^^^^^
Class: fix
Compatible: compat
Component: checks
Date: 1718695214
Edition: cee
Level: 1
Version: 2.1.0p45
- Various msexch_* checks reported its values in ms in the summary/ruleset
? ^^^^^^^ ^^^^ ---
+ The msexch_database reported its values in ms in the summary/ruleset but
? ^^^ ^^^^^^^ ++++
- but displayed the same value as seconds in the graph. With this werk,
? ----
+ displayed the same value as seconds in the graph. With this werk, all
? ++++
- all units will be reported consistently.
? ----
+ units will be reported consistently.
Title: MS Exchange: Use consistent units (ms/s) in rules & graphs
Class: fix
Compatible: compat
Component: checks
Date: 1720433457
Edition: cre
Level: 1
Version: 2.1.0p46
The checks msexch_isclienttype, msexch_isstore, msexch_rpcclientaccess reported
their values in ms in the summary/ruleset but displayed the same value as
seconds in the graph. With this werk, all MS Exchange checks now report their
values consistently.
Werk 17063 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Delete PDF tmp files older one day
Class: fix
Compatible: compat
Component: wato
Date: 1720422296
Edition: cre
Level: 1
Version: 2.1.0p46
Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted
files older 48hours.
Now files older than one day are deleted.
------------------------------------<diff>-------------------------------------------
Title: Delete PDF tmp files older one day
Class: fix
Compatible: compat
Component: wato
Date: 1720422296
Edition: cre
Level: 1
- Version: 2.1.0p45
? ^
+ Version: 2.1.0p46
? ^
Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted
files older 48hours.
Now files older than one day are deleted.
Werk 17011 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix local IP restriction of internal HTTP endpoints
Class: security
Compatible: compat
Component: wato
Date: 1718804769
Edition: cre
Level: 1
Version: 2.1.0p46
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the <code>X-Forwarded-For</code> header.
That header is added and complemented by <code>mod_proxy</code> and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
<strong>Mitigations</strong>:
You can add the following configuration to the site apache configuration, e.g. <code>etc/apache/conf.d/zzz_werk17011.conf</code>:
C+:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
C-:
<strong>Indicators of Compromise</strong>:
You can check the apache access log <code>var/log/apache/access_log</code> for calls to <code>run_cron.py</code> or <code>ajax_graph_images.py</code> from network hosts.
E.g. <code>grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log</code>
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>.
We assigned CVE-2024-6163 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the configuration syntax and ordering.
------------------------------------<diff>-------------------------------------------
Title: Fix local IP restriction of internal HTTP endpoints
Class: security
Compatible: compat
Component: wato
Date: 1718804769
Edition: cre
Level: 1
- Version: 2.1.0p45
? ^
+ Version: 2.1.0p46
? ^
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the <code>X-Forwarded-For</code> header.
That header is added and complemented by <code>mod_proxy</code> and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
<strong>Mitigations</strong>:
You can add the following configuration to the site apache configuration, e.g. <code>etc/apache/conf.d/zzz_werk17011.conf</code>:
C+:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
C-:
<strong>Indicators of Compromise</strong>:
You can check the apache access log <code>var/log/apache/access_log</code> for calls to <code>run_cron.py</code> or <code>ajax_graph_images.py</code> from network hosts.
E.g. <code>grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log</code>
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>.
We assigned CVE-2024-6163 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the configuration syntax and ordering.
Title: Delete PDF tmp files older one day
Class: fix
Compatible: compat
Component: wato
Date: 1720422296
Edition: cre
Level: 1
Version: 2.1.0p45
Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted
files older 48hours.
Now files older than one day are deleted.
Werk 17074 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: msexch_database: Use consistent units (ms/s) in rules & graphs
Class: fix
Compatible: compat
Component: checks
Date: 1718695214
Edition: cee
Level: 1
Version: 2.2.0p28
The msexch_database reported its values in ms in the summary/ruleset but
displayed the same value as seconds in the graph. With this werk, all
units will be reported consistently.
------------------------------------<diff>-------------------------------------------
- Title: MS Exchange: Use consistent units (ms/s) in rules & graphs
? ^^^^ ^^
+ Title: msexch_database: Use consistent units (ms/s) in rules & graphs
? ^^^ ++ ^^^^^
Class: fix
Compatible: compat
Component: checks
Date: 1718695214
Edition: cee
Level: 1
Version: 2.2.0p28
- Various msexch_* checks reported its values in ms in the summary/ruleset
? ^^^^^^^ ^^^^ ---
+ The msexch_database reported its values in ms in the summary/ruleset but
? ^^^ ^^^^^^^ ++++
- but displayed the same value as seconds in the graph. With this werk,
? ----
+ displayed the same value as seconds in the graph. With this werk, all
? ++++
- all units will be reported consistently.
? ----
+ units will be reported consistently.