Title: Custom & forecast graphs: More descriptive error messages in case of missing user input when configuring metrics
Class: fix
Compatible: compat
Component: metrics
Date: 1713524269
Edition: cee
Level: 1
Version: 2.2.0p26
When configuring the metrics rendered in custom and forecast graphs, users have to select a host,
a service and a metric. Previously, if any of these fields were missing, the Checkmk UI displayed
the message "Cannot calculate graph recipes" and an uninformative traceback. As of this werk, the UI instead displays a descriptive error message.
[//]: # (werk v2)
# Decommission legacy check API
key | value
---------- | ---
date | 2024-04-17T06:27:51+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | no
This werk only affects users and maintainers of custom check plugins developed against the API that was replaced in Checkmk 2.0.0.
The old API for the plugins residing in `local/share/check_mk/checks` will no longer be stable in Checkmk version 2.3.
Plugins not maintained by Checkmk will almost certainly be incompatible and therefore ignored.
Compatible plugins _will_ be considered, but the notion of what constitutes a compatible plugin may change any time.
As of Checkmk version 2.2 plugins in that folder generated a warning on the commandline and resulted in an <i>"Analyze Configuration"</i> test issueing a WARNING.
We now escalate this to CRITICAL.
Incompatible plugins are reported during `omd update`.
If you maintian such plugins, please migrate them to the new API before upgrading to Checkmk 2.3.
You can find a blog post on how to migrate these plugins
[here](https://checkmk.com/blog/migrating-check-plug-ins-to-checkmk-2-0).
A comprehensive guide on how to write plugins is found
[in our documentation](https://docs.checkmk.com/2.3.0-beta/en/devel_check_plugins.h….
Please also refer to the APIs documentation found in your site (Help -> Check plugin API reference).
Commandline call plugins for special agents and active checks in this folder will still work,
but we provide a new API for those as well now (see [Werk #16259](https://checkmk.com/werk/16259)).
They will stop working in Checkmk 2.4.
[//]: # (werk v2)
# Custom & forecast graphs: More descriptive error messages in case of missing user input when configuring metrics
key | value
---------- | ---
date | 2024-04-19T10:57:49+00:00
version | 2.4.0b1
class | fix
edition | cee
component | metrics
level | 1
compatible | yes
When configuring the metrics rendered in custom and forecast graphs, users have to select a host,
a service and a metric. Previously, if any of these fields were missing, the Checkmk UI displayed
the message "Cannot calculate graph recipes" and an uninformative traceback. As of this werk, the UI instead displays a descriptive error message.
Title: omd start redis: Don't Start If Process Already Running
Class: fix
Compatible: compat
Component: omd
Date: 1713456408
Edition: cre
Level: 1
Version: 2.1.0p42
With this Werk, <code>omd start</code> will no longer create a new redis process if redis is already started.
This aligns the behaviour with the other services of a site.
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
Version: 2.1.0p42
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.
Title: omd start redis: Don't Start If Process Already Running
Class: fix
Compatible: compat
Component: omd
Date: 1713456408
Edition: cre
Level: 1
Version: 2.2.0p25
With this Werk, <code>omd start</code> will no longer create a new redis process if redis is already started.
This aligns the behaviour with the other services of a site.
Title: ldap: show the correct customer for ldap users
Class: fix
Compatible: compat
Component: wato
Date: 1713448991
Edition: cme
Level: 1
Version: 2.2.0p25
When an ldap connection is configured for a specific customer, this
wasn't reflected in the users for that ldap connection. This werk
addresses this issue by now showing the correct customer.
Title: Brute-force protection ineffective for some login methods
Class: security
Compatible: compat
Component: wato
Date: 1712665452
Edition: cre
Level: 1
Version: 2.2.0p25
Prior to this Werk, the mechanism to lock user accounts after too many failed login attempts was only effective for the web form login method.
Login attempts via the REST API and basic authentication did not count towards the lockout mechanism.
As a result, an attacker could try to brute-force user passwords without triggering the lockout mechanism.
This Werk adds the same locking mechanism to login via the REST API and basic authentication <em>for human user accounts</em>.
Note that automation accounts are remain unaffected by the lockout mechanism to avoid having them locked by malicious intent.
It is therefore important to use long, random automation secrets.
This issue was found during internal review.
<strong>Affected Versions</strong>:
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Mitigations</strong>:
If updating is not possible, the brute-force attempts can be hindered by using a strong password policy.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.9 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>
and assigned CVE <code>CVE-2024-28825</code>.
[//]: # (werk v2)
# Check certificates: Fix checking of common name of issuer
key | value
---------- | ---
date | 2024-04-18T11:02:41+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
The active certificate check (configured via the ruleset *Check certificates*) did not check the
common name (CN) of the certificate issuer correctly:
* If only the checking of the issuer CN was activated, the CN of the subject was checked instead.
* If both the checking of the issuer and the subject CN where activated, the active check crashed with\
<code>error: the argument '--subject-cn \<SUBJECT_CN\>' cannot be used multiple times.</code>
[//]: # (werk v2)
# omd start redis: Don't Start If Process Already Running
key | value
---------- | ---
date | 2024-04-18T16:06:48+00:00
version | 2.4.0b1
class | fix
edition | cre
component | omd
level | 1
compatible | yes
With this Werk, `omd start` will no longer create a new redis process if redis is already started.
This aligns the behaviour with the other services of a site.