Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15912 discussions

[2.2.0] Checkmk Werk 16599 adapted: jolokia metrics: restores 'default product' behavior

by Checkmk werks level 1

Werk 16599 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: jolokia metrics: restores 'default product' behavior Class: fix Compatible: compat Component: checks Date: 1710165014 Edition: cre Level: 1 Version: 2.2.0p26 The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration. This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output. ------------------------------------<diff>------------------------------------------- Title: jolokia metrics: restores 'default product' behavior Class: fix Compatible: compat Component: checks Date: 1710165014 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ The check plugin no longer showed any metrics if a product was not specified in the ruleset configuration. This werk restores the original behaviour, using as a default product the one reported in the info section of the agent output.

5 months, 1 week

[2.2.0] Checkmk Werk 16615 adapted: Remove websphere_mq plugin

by Checkmk werks level 1

Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Remove websphere_mq plugin Class: security Compatible: compat Component: checks Date: 1710155388 Edition: cre Level: 1 Version: 2.2.0p26 With this Werk the <code>websphere_mq</code> plugin is removed for security reasons. In this plugin the output of <code>ps</code> is used to determine an argument for <code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to <code>runmqsc</code>. The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the agent bakery we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. Affected versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: Migrate to the <code>ibm_mq</code> plugin. Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>. We assigned CVE-2024-3367 to this vulnerability. Changes: The plugin was removed. ------------------------------------<diff>------------------------------------------- Title: Remove websphere_mq plugin Class: security Compatible: compat Component: checks Date: 1710155388 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ With this Werk the <code>websphere_mq</code> plugin is removed for security reasons. In this plugin the output of <code>ps</code> is used to determine an argument for <code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary command line could manipulate one argument to <code>runmqsc</code>. The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0. Since this plugin is already deprecated and it was not configurable via the agent bakery we assumed that this plugin is not frequently used. Therefore we decided to not fix the issue but to push the removal. We found this vulnerability internally. Affected versions: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 Mitigations: Migrate to the <code>ibm_mq</code> plugin. Vulnerability Management: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>. We assigned CVE-2024-3367 to this vulnerability. Changes: The plugin was removed.

5 months, 1 week

[2.2.0] Checkmk Werk 15026 adapted: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission

by Checkmk werks level 1

Werk 15026 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission Class: fix Compatible: compat Component: wato Date: 1710499061 Edition: cre Level: 1 Version: 2.2.0p26 Without the "add_or_modify_executables" permission users do not have the right to change any executable run by checkmk, either on the site or via the agent. The agent config options "python_plugins" and "lnx_remote_alert_handlers" have not yet checked for that permission. In the UI "python_plugins" and "lnx_remote_alert_handlers are called "Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively. ------------------------------------<diff>------------------------------------------- Title: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission Class: fix Compatible: compat Component: wato Date: 1710499061 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Without the "add_or_modify_executables" permission users do not have the right to change any executable run by checkmk, either on the site or via the agent. The agent config options "python_plugins" and "lnx_remote_alert_handlers" have not yet checked for that permission. In the UI "python_plugins" and "lnx_remote_alert_handlers are called "Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively.

5 months, 1 week

[2.2.0] Checkmk Werk 15840 adapted: Windows agent obtains winperf data using separate process

by Checkmk werks level 1

Werk 15840 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Windows agent obtains winperf data using separate process Class: fix Compatible: compat Component: checks Date: 1711121597 Edition: cre Level: 1 Version: 2.2.0p26 This change fixes regression introduced in 2.1.0p2 ------------------------------------<diff>------------------------------------------- Title: Windows agent obtains winperf data using separate process Class: fix Compatible: compat Component: checks Date: 1711121597 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ This change fixes regression introduced in 2.1.0p2

5 months, 1 week

[2.2.0] Checkmk Werk 15487 adapted: Fix indentation of tree of folders snapin

by Checkmk werks level 1

Werk 15487 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Fix indentation of tree of folders snapin Class: fix Compatible: compat Component: multisite Date: 1683124911 Edition: cre Level: 1 Version: 2.2.0p26 ------------------------------------<diff>------------------------------------------- Title: Fix indentation of tree of folders snapin Class: fix Compatible: compat Component: multisite Date: 1683124911 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^

5 months, 1 week

[2.2.0] Checkmk Werk 15320 adapted: heartbeat_crm_resources: unmanaged stopped resources could not go critical

by Checkmk werks level 1

Werk 15320 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical Class: fix Compatible: compat Component: checks Date: 1706189999 Edition: cre Level: 1 Version: 2.2.0p26 Stopped resources are marked <code>CRIT</code>. If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>. ------------------------------------<diff>------------------------------------------- Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical Class: fix Compatible: compat Component: checks Date: 1706189999 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Stopped resources are marked <code>CRIT</code>. If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.

5 months, 1 week

[2.2.0] Checkmk Werk 15331 adapted: postgres_stat_database_size: Don't discover 'access_to_shared_objects'

by Checkmk werks level 1

Werk 15331 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: postgres_stat_database_size: Don't discover 'access_to_shared_objects' Class: fix Compatible: incomp Component: checks Date: 1713251421 Edition: cre Level: 1 Version: 2.2.0p26 Checkmk discovered Services like "PostgreSQL DB MAIN/access_to_shared_objects Size" but the Services only showed "Database size not available" and a WARN status. Those Services are no longer discovered. ------------------------------------<diff>------------------------------------------- Title: postgres_stat_database_size: Don't discover 'access_to_shared_objects' Class: fix Compatible: incomp Component: checks Date: 1713251421 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Checkmk discovered Services like "PostgreSQL DB MAIN/access_to_shared_objects Size" but the Services only showed "Database size not available" and a WARN status. Those Services are no longer discovered.

5 months, 1 week

[2.2.0] Checkmk Werk 15321 adapted: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service"

by Checkmk werks level 1

Werk 15321 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service" Class: fix Compatible: compat Component: checks Date: 1706532543 Edition: cre Level: 1 Version: 2.2.0p26 Rule "Status of the Checkmk service" provides a setting called "State if specific check plugins receive no monitoring data" where you can specify a regular expression to match specific check plugins, and assign a status for the "Check_MK" service if this check plugins receives no data. The feature did work correctly if you specified a Status worse than "WARN". But the "Check_MK" service went to "WARN" even if there was an rule to set the status to "OK" if the specific section did not receive any data. This is fixed now. ------------------------------------<diff>------------------------------------------- Title: Fix "State if specific check plugins receive no monitoring data" of Rule "Status of the Checkmk service" Class: fix Compatible: compat Component: checks Date: 1706532543 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Rule "Status of the Checkmk service" provides a setting called "State if specific check plugins receive no monitoring data" where you can specify a regular expression to match specific check plugins, and assign a status for the "Check_MK" service if this check plugins receives no data. The feature did work correctly if you specified a Status worse than "WARN". But the "Check_MK" service went to "WARN" even if there was an rule to set the status to "OK" if the specific section did not receive any data. This is fixed now.

5 months, 1 week

[2.2.0] Checkmk Werk 15332 adapted: Inventory: Add Windows support for Hardware > System > Uuid

by Checkmk werks level 1

Werk 15332 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Inventory: Add Windows support for Hardware > System > Uuid Class: feature Compatible: compat Component: inv Date: 1713272987 Edition: cre Level: 1 Version: 2.2.0p26 This element is already available for Linux, now the windows agent also supports reading this value. You have to update <code>mk_inventory.vbs</code> on the monitored host, to provide the necessary data. ------------------------------------<diff>------------------------------------------- Title: Inventory: Add Windows support for Hardware > System > Uuid Class: feature Compatible: compat Component: inv Date: 1713272987 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ This element is already available for Linux, now the windows agent also supports reading this value. You have to update <code>mk_inventory.vbs</code> on the monitored host, to provide the necessary data.

5 months, 1 week

[2.2.0] Checkmk Werk 15198 adapted: Brute-force protection ineffective for some login methods

by Checkmk werks level 1

Werk 15198 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 Version: 2.2.0p26 Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>. ------------------------------------<diff>------------------------------------------- Title: Brute-force protection ineffective for some login methods Class: security Compatible: compat Component: wato Date: 1712665452 Edition: cre Level: 1 - Version: 2.2.0p25 ? ^ + Version: 2.2.0p26 ? ^ Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method. Login attempts via the REST API and basic authentication did not count towards the lockout mechanism. As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism. This Werk adds the same locking mechanism to login via the REST API and basic authentication for human user accounts. Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent. It is therefore important to use long, random automation secrets. This issue was found during internal review. Affected Versions: LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) Mitigations: If updating is not possible, the brute-force attempts can be hindered by using a strong password policy. Vulnerability Management: We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code> and assigned CVE <code>CVE-2024-28825</code>.

5 months, 1 week

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1