Werk 16599 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
Version: 2.2.0p26
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
------------------------------------<diff>-------------------------------------------
Title: jolokia metrics: restores 'default product' behavior
Class: fix
Compatible: compat
Component: checks
Date: 1710165014
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration.
This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.
Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Remove websphere_mq plugin
Class: security
Compatible: compat
Component: checks
Date: 1710155388
Edition: cre
Level: 1
Version: 2.2.0p26
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
------------------------------------<diff>-------------------------------------------
Title: Remove websphere_mq plugin
Class: security
Compatible: compat
Component: checks
Date: 1710155388
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
Werk 15026 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission
Class: fix
Compatible: compat
Component: wato
Date: 1710499061
Edition: cre
Level: 1
Version: 2.2.0p26
Without the "add_or_modify_executables" permission users do not have the right
to change any executable run by checkmk, either on the site or via the agent.
The agent config options "python_plugins" and "lnx_remote_alert_handlers" have
not yet checked for that permission.
In the UI "python_plugins" and "lnx_remote_alert_handlers are called
"Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively.
------------------------------------<diff>-------------------------------------------
Title: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission
Class: fix
Compatible: compat
Component: wato
Date: 1710499061
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Without the "add_or_modify_executables" permission users do not have the right
to change any executable run by checkmk, either on the site or via the agent.
The agent config options "python_plugins" and "lnx_remote_alert_handlers" have
not yet checked for that permission.
In the UI "python_plugins" and "lnx_remote_alert_handlers are called
"Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively.
Werk 15840 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Windows agent obtains winperf data using separate process
Class: fix
Compatible: compat
Component: checks
Date: 1711121597
Edition: cre
Level: 1
Version: 2.2.0p26
This change fixes regression introduced in 2.1.0p2
------------------------------------<diff>-------------------------------------------
Title: Windows agent obtains winperf data using separate process
Class: fix
Compatible: compat
Component: checks
Date: 1711121597
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
This change fixes regression introduced in 2.1.0p2
Werk 15487 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix indentation of tree of folders snapin
Class: fix
Compatible: compat
Component: multisite
Date: 1683124911
Edition: cre
Level: 1
Version: 2.2.0p26
------------------------------------<diff>-------------------------------------------
Title: Fix indentation of tree of folders snapin
Class: fix
Compatible: compat
Component: multisite
Date: 1683124911
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Werk 15320 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical
Class: fix
Compatible: compat
Component: checks
Date: 1706189999
Edition: cre
Level: 1
Version: 2.2.0p26
Stopped resources are marked <code>CRIT</code>.
If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.
------------------------------------<diff>-------------------------------------------
Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical
Class: fix
Compatible: compat
Component: checks
Date: 1706189999
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Stopped resources are marked <code>CRIT</code>.
If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.
Werk 15331 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: postgres_stat_database_size: Don't discover 'access_to_shared_objects'
Class: fix
Compatible: incomp
Component: checks
Date: 1713251421
Edition: cre
Level: 1
Version: 2.2.0p26
Checkmk discovered Services like "PostgreSQL DB MAIN/access_to_shared_objects
Size" but the Services only showed "Database size not available" and a WARN
status.
Those Services are no longer discovered.
------------------------------------<diff>-------------------------------------------
Title: postgres_stat_database_size: Don't discover 'access_to_shared_objects'
Class: fix
Compatible: incomp
Component: checks
Date: 1713251421
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Checkmk discovered Services like "PostgreSQL DB MAIN/access_to_shared_objects
Size" but the Services only showed "Database size not available" and a WARN
status.
Those Services are no longer discovered.
Werk 15321 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service"
Class: fix
Compatible: compat
Component: checks
Date: 1706532543
Edition: cre
Level: 1
Version: 2.2.0p26
Rule "Status of the Checkmk service" provides a setting called "State if
specific check plugins receive no monitoring data" where you can specify a
regular expression to match specific check plugins, and assign a status for
the "Check_MK" service if this check plugins receives no data.
The feature did work correctly if you specified a Status worse than "WARN".
But the "Check_MK" service went to "WARN" even if there was an rule to set the
status to "OK" if the specific section did not receive any data. This is fixed now.
------------------------------------<diff>-------------------------------------------
Title: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service"
Class: fix
Compatible: compat
Component: checks
Date: 1706532543
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Rule "Status of the Checkmk service" provides a setting called "State if
specific check plugins receive no monitoring data" where you can specify a
regular expression to match specific check plugins, and assign a status for
the "Check_MK" service if this check plugins receives no data.
The feature did work correctly if you specified a Status worse than "WARN".
But the "Check_MK" service went to "WARN" even if there was an rule to set the
status to "OK" if the specific section did not receive any data. This is fixed now.
Werk 15332 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Inventory: Add Windows support for Hardware > System > Uuid
Class: feature
Compatible: compat
Component: inv
Date: 1713272987
Edition: cre
Level: 1
Version: 2.2.0p26
This element is already available for Linux, now the windows agent also supports
reading this value.
You have to update <code>mk_inventory.vbs</code> on the monitored host, to provide the
necessary data.
------------------------------------<diff>-------------------------------------------
Title: Inventory: Add Windows support for Hardware > System > Uuid
Class: feature
Compatible: compat
Component: inv
Date: 1713272987
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
This element is already available for Linux, now the windows agent also supports
reading this value.
You have to update <code>mk_inventory.vbs</code> on the monitored host, to provide the
necessary data.
Werk 15198 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
Version: 2.2.0p26
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.
------------------------------------<diff>-------------------------------------------
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
- Version: 2.2.0p25
? ^
+ Version: 2.2.0p26
? ^
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.