[//]: # (werk v2)
# kube_pod_conditions: Support PodReadyToStartContainers Condition
key | value
---------- | ---
date | 2024-07-01T14:21:43+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
As of Kubernetes version 1.28, the PodCondition `PodHasNetwork` was renamed to
`PodReadyToStartContainers`. With this Werk, both naming conventions are supported.
This Werk also tweaks the summary of the check to be more consistent across different
Kubernetes environments.
[//]: # (werk v2)
# Transfer Arista temperature sensors to our common entity sensor monitoring
key | value
---------- | ---
date | 2024-06-28T13:27:10+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | no
The existing entity sensor check plug-in discovers temperature, fan and binary
power sensors. The Arista check plug-in only covered temperature sensors and
used the common ENTITY-MIB.
Please run a re-discovery on the affected Arista devices. If there are rules
configured for the Arista temperature sensor services then these might have to
be adapted because the Arista check plug-in used the entPhysicalDescr entries
for the service items and the entity sensor check plug-in uses the
entPhysicalName entries.
[//]: # (werk v2)
# notification_rules: typo in field sort_order_for_bulk_notifications
key | value
---------- | ---
date | 2024-07-03T05:22:21+00:00
version | 2.4.0b1
class | fix
edition | cre
component | rest-api
level | 1
compatible | no
The REST-API endpoints previously had a typo in the field
'sort_order_for_bulk_notifications'. The second t was missing.
This werk now corrects this.
[//]: # (werk v2)
# Fix service discovery for hosts with more than 237 characters
key | value
---------- | ---
date | 2024-06-26T07:53:25+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
Werk #16219 limited the length of hostnames to a maximum length of 253 characters.
Still, hostnames with a length greater 237 could lead to an error in the
service discovery like "[Errno 36] File name too long: ...".
This has been fixed and all service discovery background job directories will
be converted on update.
[//]: # (werk v2)
# Event Console fix regex match in rule text
key | value
---------- | ---
date | 2024-07-01T15:31:04+00:00
version | 2.4.0b1
class | fix
edition | cee
component | ec
level | 1
compatible | yes
Event console method compile_matching_value had a typo
which caused a valid regex to not match, because it was sent as a string
SUP-19224
Title: fix a privilege escalation vulnerability in the Checkmk Windows Agent
Class: security
Compatible: compat
Component: checks
Date: 1719843798
Edition: cre
Level: 2
Version: 2.1.0p45
This Werk fixes a privilege escalation vulnerability in the Checkmk Windows
Agent.
Prior to this Werk, it was possible for authenticated users on the monitored
Windows host to execute commands as administrator account that is used to run
the Agent, allowing them to elevate their privileges.
The reason for this issue were excessive write permissions on the
<code>ProgramData\checkmk\agent</code> directory.
Note that you must update Checkmk as well as the agent in order to apply this
fix.
This issue was found in a commissioned penetration test conducted by modzero
GmbH.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
<em>Mitigations</em>:
If updating is not possible, you can manually remove write access for non-admin
users on the <code>ProgramData\checkmk\agent</code> folder.
To do this, navigate to the folder's property settings and make sure to verify
the special permissions and advanced permission settings in addition to the
basic permission settings.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 High (<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>)
and assigned <code>CVE-2024-28827</code>.
Title: Fix Various CSRF Issues
Class: security
Compatible: compat
Component: wato
Date: 1718958734
Edition: cre
Level: 1
Version: 2.1.0p45
This Werk adds priviously missing CSRF-Token validation to various endpoints in WATO.
The lack of CSRF-Token validation could allow an attacker to perform actions on behalf of a user without their consent, by tricking the user into visiting clicking on a malicious link.
This vulnerability was identified during a commissioned penetration test conducted by PS Positive Security GmbH.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 8.8 High with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</code>.
and assigned CVE <code>CVE-2024-28828</code>.
Title: XSS in SQL check parameters
Class: security
Compatible: compat
Component: wato
Date: 1718618899
Edition: cre
Level: 1
Version: 2.1.0p45
Prior to this Werk an attacher could add HTML to one parameter of the <em>Check SQL database</em> rule which was executed on the overview page.
We found this vulnerability internally.
<strong>Affected Versions</strong>:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
<strong>Indicators of Compromis</strong>:
The creation of such rules is logged in the audit log. You can therefore check the <code>wato_audit.log</code> either on the terminal or in the UI for entries that contain malicious HTML.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L</code>
We assigned CVE-2024-6052 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the escaping.
Title: proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer
Class: fix
Compatible: compat
Component: checks
Date: 1719585241
Edition: cre
Level: 1
Version: 2.2.0p29
The backup log format changed in Proxmox version 3.2.4 which resulted in a crash
in the Proxmox special agent.
The special agent can now handle both old and the new format of backup log messages.
Title: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster
Class: fix
Compatible: compat
Component: multisite
Date: 1719844378
Edition: cre
Level: 1
Version: 2.2.0p30