ID: 0989
Title: logwatch.ec: Fix forwarding multiple messages via syslog/TCP
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i5
If you setup forwarding to the Event Console in the {logwatch.ec} check to
be done via TCP and more than one new message per check interval arrived,
then several messages could have be joined together into one single message.
The reason was a missing newline character. This has been fixed. Forwarding
via UDP was not affected by this bug.
ID: 0988
Title: livedump: Fix exception in case no contact groups are defined for a service
Component: Livestatus
Level: 1
Class: Bug Fix
Version: 1.2.5i5
ID: 0942
Title: check_mk-winperf.cpuusage.php: now displays AVERAGE values instead of MAX
Component: Multisite
Level: 1
Class: Bug Fix
Version: 1.2.5i4
This change makes pnpgraphs with greater timeframes consistent
ID: 0941
Title: esx_vsphere_hostsystem.cpu_usage: pnpgraph now displays AVERAGE instead of MAX values in all timeframes
Component: Multisite
Level: 1
Class: Bug Fix
Version: 1.2.5i4
Affected pnptemplates are: check_mk-enterasys_cpu_util, check_mk-esx_vsphere_hostsystem.cpu_usage, check_mk-innovaphone_cpu
ID: 0984
Title: Fix code injection for logged in users via automation url
Component: WATO
Level: 2
Class: Incompatible Change
Version: 1.2.5i4
This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
<i>The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
see: <tt>https://docs.python.org/2/library/pickle.html</tt>.</i>
The fix replaces <tt>pickle<tt> with a module called <tt>ast</tt>. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses <tt>pickle</tt>, even with this fix.
<b>Note:</b> This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting <tt>wato_legacy_eval = True<tt> in <tt>multisite.mk</tt>.
This can also be done with the new global WATO setting <i>Use unsafe legacy
encoding for distributed WATO</i>.
ID: 0983
Title: Fix security issue in code of row selections (checkboxes) (CVSS 4.9 AV:N/AC:M/Au:S/C:N/I:P/A:P)
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
The fixed weakness was:
The check_mk application does allow an attacker to write check_mk config files
(.mk files) on arbitrary locations on the server filesystem.
ID: 0982
Title: Fix two XSS weaknesses according to CVSS 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Component: Multisite
Level: 2
Class: Security Fix
Version: 1.2.5i4
This fixes the following issue:
The check_mk application is susceptible to reflected XSS attacks. This is
mainly the result of inproper output encoding. Reflected XSS can be triggered
by sending a malicious URL to a user of the check_mk application. Once the
XSS attack is triggered, the attacker has access to the full check_mk (and
nagios) application with the access rights of the logged in victim.
The fix applies to the function:
htmllib.py: render_status_icons()
actions.py: ajax_action()
ID: 0824
Title: Valuespecs: Fixed several possible HTML injections in valuespecs
Component: WATO
Level: 1
Class: Security Fix
Version: 1.2.5i4
Several HTML injections in valuespecs of different types (mostly used in WATO)
were missing good escaping of values. This has been added to prevent HTML
code injections which could be used for XSS attacks. This only affects WATO
and logged in users which are permitted to use WATO and open the page
(e.g. the list of rules) which displays the values.
ID: 0823
Title: mk_sap: Fixed some wrong calculated values (decimal numbers)
Component: Checks & Agents
Level: 1
Class: Bug Fix
Version: 1.2.5i4
The values provided by SAP seem to be integers with a second value
which can be used to tell the asking program the number of decimals.
e.g. when this value states 2, a load value of 901 is converted to
9.01. This value has not been used in the past which lead to odd
check results.