Title: Better handling of notification result in case of timeout
Class: fix
Compatible: compat
Component: notifications
Date: 1717580562
Edition: cre
Level: 1
Version: 2.2.0p33
Werk #16707 added useful log information to failed notifications in case of a timeout.
In some cases, this log contained also script output.
We now show the timeout message within "Summary" of the notification result
and, if available, the last output of the notification plugin followed by the
timeout message within the "Comment" column. Both are separated by "--".
Title: Fix link of "Open this Aggregation"
Class: fix
Compatible: compat
Component: multisite
Date: 1723468942
Edition: cre
Level: 1
Version: 2.2.0p33
If you used the option "Open this Aggregation" in the burger menu of a check
based on "Check State of BI Aggregation", the link lead to a none existing
page.
Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Remove websphere_mq plugin
Class: security
Compatible: incomp
Component: checks
Date: 1710155388
Edition: cre
Level: 1
Version: 2.2.0p26
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
------------------------------------<diff>-------------------------------------------
Title: Remove websphere_mq plugin
Class: security
- Compatible: compat
? --
+ Compatible: incomp
? ++
Component: checks
Date: 1710155388
Edition: cre
Level: 1
Version: 2.2.0p26
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
Title: Opsgenie: Better error handling
Class: fix
Compatible: compat
Component: notifications
Date: 1723465965
Edition: cre
Level: 1
Version: 2.2.0p33
In earlier versions some errors (like authentication failures) lead to a
traceback.
Errors should be shown in a better way now.
Title: Check Point plug-ins: increase detection sensitivity
Class: fix
Compatible: compat
Component: checks
Date: 1723122722
Edition: cre
Level: 1
Version: 2.2.0p32
Some Check Point devices have not been discovered as expected.
We now additionally consider all devices where the system object
identifier points to Check Points enterprise SNMP tree
<em>".1.3.6.1.4.1.2620"</em>.
Title: azure: Handle Azure API rate limit
Class: fix
Compatible: compat
Component: checks
Date: 1723021006
Edition: cre
Level: 1
Version: 2.2.0p32
After the changes in Azure API rate limits, the Azure agent requests to the API
were getting throttled for the big Azure environments.
This fix introduces handling for throttled requests. If the rate limit is reached,
the agent will repeat the request after 5 s. If it fails again, the agent will repeat the request
after another 10 s.
Additionally, the default limits for 'Lower levels for remaining API reads' in
the 'Azure Agent Info' monitoring rule are removed.
Title: brocade_fcport: fix operating speed conversion
Class: fix
Compatible: compat
Component: checks
Date: 1720516941
Edition: cre
Level: 1
Version: 2.2.0p32
This werk affects anyone monitoring Brocade fibre channel ports
by comparing current or average throughput to certain absolute or percentage levels
via the <em>Brocade FibreChannel ports</em> rule.
In the plugin the current operating speed of the interface,
read from the SNMP interface data,
was not properly converted to GByte/s,
the unit of measurement displayed in the interface.
This resulted in an erroneous comparison of values and the related service states.
Title: CPU utilization checking: Alert if utilization is exactly at threshold for too long
Class: fix
Compatible: compat
Component: checks
Date: 1723014220
Edition: cre
Level: 1
Version: 2.2.0p32
Many CPU utilization checks can be configured to alert if the utilization is too high for too long
(configuration options <em>Levels over an extended time period on total CPU utilization</em> and <em>Levels
over an extended time period on a single core CPU utilization</em>).
Before, Checkmk alerted only if the utilization was above the threshold for too long. As of this
werk, Checkmk alerts if the utilization is above or exactly at the threshold for too long. This is
consistent with the general behavior of Checkmk to check against upper thresholds with a "greater
than or equal to" operation.
Title: mk_informix: Follow up for Werk 16198
Class: security
Compatible: compat
Component: checks
Date: 1721978318
Edition: cre
Level: 1
Version: 2.2.0p32
<a href="https://checkmk.com/werk/16198">Werk #16198</a> addressed potential priviledge escalation by the agent plugin <code>mk_informix</code>.
However, a few callsites to the binaries <code>dbaccess</code> and <code>onstat</code> where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
Title: mk_job: MK_VARDIR defaults not being set in bakery
Class: fix
Compatible: compat
Component: checks
Date: 1721972847
Edition: cre
Level: 1
Version: 2.2.0p32
Due to a different way to set in <code>MK_VARDIR</code> in <code>mk_job</code>, default values
would not be baked into <code>mk_job</code> and derivates.
This change adds a replacement rule for the way <code>MK_VARDIR</code> gets assigned in
<code>mk_job</code> and also separates assignment and export in order to avoid known problems
with Solaris.