Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
Version: 2.1.0p47
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.
Title: mk_informix: Follow up for Werk 16198
Class: security
Compatible: compat
Component: checks
Date: 1721978318
Edition: cre
Level: 1
Version: 2.1.0p47
<a href="https://checkmk.com/werk/16198">Werk #16198</a> addressed potential priviledge escalation by the agent plugin <code>mk_informix</code>.
However, a few callsites to the binaries <code>dbaccess</code> and <code>onstat</code> where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
Title: cpu_utilization: allow total CPU utilization to be set above 101%
Class: fix
Compatible: compat
Component: checks
Date: 1724827504
Edition: cre
Level: 1
Version: 2.2.0p33
Before this werk, the "High utilization at" level option within the
"Levels over an extended time period on total CPU utilization" target
was limited to a maximum of 101%. However, in environments like containers,
the total CPU utilization can exceed this threshold. This werk therefore removes
the upper limit for the total value.
Title: Skip unnecessary site activations when editing users
Class: fix
Compatible: compat
Component: wato
Date: 1723702736
Edition: cre
Level: 1
Version: 2.2.0p33
Previously, any changes to users required site activations on all
existing sites. This created a lot of unnecessary activations where
users only exist on certain sites.
With this werk, only the sites associated with the changed users require
an activation.
Title: Fix Cisco Meraki missing services
Class: fix
Compatible: compat
Component: checks
Date: 1724751487
Edition: cre
Level: 1
Version: 2.2.0p33
In some rare cases, when using the Cisco Meraki Special Agent, certain services such as temperature
sensors or device status may be missing. This happened when no device name was configured for a
particular device.
These devices are now added to the main host on which the Cisco Meraki integration is configured.
If you want to monitor the device as a separate piggyback host, you must configure a name for that
device.
The missing services must be discovered by running a service discovery on the main host.
Title: Handle years in ntp output
Class: fix
Compatible: compat
Component: checks
Date: 1724757177
Edition: cre
Level: 1
Version: 2.2.0p33
This werk affects you, in case your last <code>ntpq</code> synchronization was indeed more than a year ago.
A potential check crash traceback looks like:
C+:
File "/omd/sites/SITE/lib/python3/cmk/base/plugins/agent_based/ntp.py", line 67, in _ntp_fmt_time
return int(raw)
ValueError: invalid literal for int() with base 10: '3y'
C-:
The year case is now handled in the parse function.
Title: Add support for MariaDB 11
Class: fix
Compatible: compat
Component: checks
Date: 1718006095
Edition: cre
Level: 1
Version: 2.2.0p33
MariaDB 11 deprecated mysql* binaries and shows an error message like:
<code>
mysqladmin: Deprecated program name. It will be removed in a future release, use ‘/usr/bin/mariadb-admin’ instead
</code>
The agent plugin now checks if the MariaDB binaries are available and prefers them over the mySQL binaries.
Title: REST-API: Include customer in list group endpoints
Class: feature
Compatible: compat
Component: rest-api
Date: 1724078164
Edition: cme
Level: 1
Version: 2.2.0p33
The list endpoints for Contact, Host and Service groups now include the
customer configuration.
Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
Version: 2.2.0p33
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.