[//]: # (werk v2)
# Fix local IP restriction of internal HTTP endpoints
key | value
---------- | ---
date | 2024-06-19T13:46:09+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the `X-Forwarded-For` header.
That header is added and complemented by `mod_proxy` and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
**Mitigations**:
You can add the following configuration to the site apache configuration, e.g. `etc/apache/conf.d/zzz_werk17011.conf`:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
**Indicators of Compromise**:
You can check the apache access log `var/log/apache/access_log` for calls to `run_cron.py` or `ajax_graph_images.py` from network hosts.
E.g. `grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log`
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`.
We assigned CVE-2024-6163 to this vulnerability.
**Changes**:
This Werk fixes the configuration syntax and ordering.
[//]: # (werk v2)
# Show correct host alias in context of test notifications
key | value
---------- | ---
date | 2024-07-04T12:55:43+00:00
version | 2.4.0b1
class | fix
edition | cre
component | notifications
level | 1
compatible | yes
The hostname was shown instead of the alias in the context of a test
notification, even if an alias was defined for the host.
Title: omd: Improve Runtime with Many Sites
Class: fix
Compatible: compat
Component: omd
Date: 1720082692
Edition: cre
Level: 2
Version: 2.2.0p31
With this Werk, the all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
should largely affect hosts, which have a high number of sites.
Werk 16533 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Event Console fix regex match in rule text
Class: fix
Compatible: compat
Component: ec
Date: 1719847864
Edition: cee
Level: 1
Version: 2.2.0p31
Event console method compile_matching_value had a typo
which caused a valid regex to not match, because it was sent as a string
SUP-19224
------------------------------------<diff>-------------------------------------------
Title: Event Console fix regex match in rule text
Class: fix
Compatible: compat
Component: ec
Date: 1719847864
Edition: cee
Level: 1
- Version: 2.2.0p30
? ^
+ Version: 2.2.0p31
? ^
Event console method compile_matching_value had a typo
which caused a valid regex to not match, because it was sent as a string
SUP-19224
Werk 16999 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Service check commands exclamation mark is no more escaped
Class: fix
Compatible: compat
Component: multisite
Date: 1717399158
Edition: cre
Level: 1
Version: 2.2.0p31
Previously instead of "!" the GUI displayed "!" when rendering a service check command.
This is fixed to rendering unescaped service check commands to the GUI.
------------------------------------<diff>-------------------------------------------
Title: Service check commands exclamation mark is no more escaped
Class: fix
Compatible: compat
Component: multisite
Date: 1717399158
Edition: cre
Level: 1
- Version: 2.2.0p30
? ^
+ Version: 2.2.0p31
? ^
Previously instead of "!" the GUI displayed "!" when rendering a service check command.
This is fixed to rendering unescaped service check commands to the GUI.
Werk 16753 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster
Class: fix
Compatible: compat
Component: multisite
Date: 1719844378
Edition: cre
Level: 1
Version: 2.2.0p31
------------------------------------<diff>-------------------------------------------
Title: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster
Class: fix
Compatible: compat
Component: multisite
Date: 1719844378
Edition: cre
Level: 1
- Version: 2.2.0p30
? ^
+ Version: 2.2.0p31
? ^
Werk 16863 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer
Class: fix
Compatible: compat
Component: checks
Date: 1719585241
Edition: cre
Level: 1
Version: 2.2.0p31
The backup log format changed in Proxmox version 3.2.4 which resulted in a crash
in the Proxmox special agent.
The special agent can now handle both old and the new format of backup log messages.
------------------------------------<diff>-------------------------------------------
Title: proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer
Class: fix
Compatible: compat
Component: checks
Date: 1719585241
Edition: cre
Level: 1
- Version: 2.2.0p30
? ^
+ Version: 2.2.0p31
? ^
The backup log format changed in Proxmox version 3.2.4 which resulted in a crash
in the Proxmox special agent.
The special agent can now handle both old and the new format of backup log messages.
Title: Fix missing CSRF token issues
Class: fix
Compatible: compat
Component: wato
Date: 1719997630
Edition: cre
Level: 1
Version: 2.2.0p30
Werk #17090 in Checkmk 2.3.0p8 and 2.2.0p29 introduced additional CSRF token checks in the GUI.
This caused some buttons to not work anymore because the CSRF token was missing, including, but likely not limited to:
LI: "Synchronize users" in Setup > Users to manually trigger the LDAP sync (the background sync still runs)
LI: "Show analysis" and "Show bulks" in Setup > Events > Notifications
LI: Reordering notification rules via drag-and-drop in the same view
LI: "Bake agents" in the agent bakery (as a workaround, use "Bake and sign agents")
LI: "Acknowledge last baking result" when a bake job failed (as a workaround, delete the failed job instead)
This Werk fixes the issues by adding the token.
Werk 16436 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# kube_pod_conditions: Support PodReadyToStartContainers Condition
key | value
---------- | ---
date | 2024-07-01T14:21:43+00:00
version | 2.3.0p10
class | feature
edition | cre
component | checks
level | 1
compatible | yes
As of Kubernetes version 1.28, the PodCondition `PodHasNetwork` was renamed to
`PodReadyToStartContainers`. With this Werk, both naming conventions are supported.
This Werk also tweaks the summary of the check to be more consistent across different
Kubernetes environments.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# kube_pod_conditions: Support PodReadyToStartContainers Condition
key | value
---------- | ---
date | 2024-07-01T14:21:43+00:00
- version | 2.3.0p9
? ^
+ version | 2.3.0p10
? ^^
class | feature
edition | cre
component | checks
level | 1
compatible | yes
As of Kubernetes version 1.28, the PodCondition `PodHasNetwork` was renamed to
`PodReadyToStartContainers`. With this Werk, both naming conventions are supported.
This Werk also tweaks the summary of the check to be more consistent across different
Kubernetes environments.
[//]: # (werk v2)
# kube_pod_conditions: Support PodReadyToStartContainers Condition
key | value
---------- | ---
date | 2024-07-01T14:21:43+00:00
version | 2.3.0p9
class | feature
edition | cre
component | checks
level | 1
compatible | yes
As of Kubernetes version 1.28, the PodCondition `PodHasNetwork` was renamed to
`PodReadyToStartContainers`. With this Werk, both naming conventions are supported.
This Werk also tweaks the summary of the check to be more consistent across different
Kubernetes environments.