[//]: # (werk v2)
# Licensing: Introduce grace period for unlicensed state
key | value
---------- | ---
date | 2024-03-27T15:55:26+00:00
version | 2.4.0b1
class | fix
edition | cce
component | wato
level | 1
compatible | yes
To lessen the impact of a setup becoming unlicensed, there is now a 7 day grace period before becoming unlicensed.
In this time only warnings will be shown so that users have the opportunity to fix the licensing issues.
Title: check_wmi_webservices: fix CurrentConnections monitoring
Class: fix
Compatible: compat
Component: checks
Date: 1712040247
Edition: cre
Level: 1
Version: 2.2.0p25
The CurrentConnections metric was calculated "per second".
We now directly show the number of connections returned by the service.
Title: Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission
Class: fix
Compatible: compat
Component: wato
Date: 1710499061
Edition: cre
Level: 1
Version: 2.2.0p25
Without the "add_or_modify_executables" permission users do not have the right
to change any executable run by checkmk, either on the site or via the agent.
The agent config options "python_plugins" and "lnx_remote_alert_handlers" have
not yet checked for that permission.
In the UI "python_plugins" and "lnx_remote_alert_handlers are called
"Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively.
[//]: # (werk v2)
# Crash when accessing overridden built-in dashboard
key | value
---------- | ---
date | 2024-04-03T12:32:28+00:00
version | 2.4.0b1
class | fix
edition | cre
component | multisite
level | 1
compatible | yes
Accessing a built-in dashboard after overriding it with a custom dashboard
could cause certain dashlets to crash.
For example, you could access the built-in dashboard by clicking the link
in Customize > Dashboards > Built-in. Another way to access the built-in
dashboard is for example by having a bookmark to it.
Now this crash no longer occurs and all dashlets render correctly.
[//]: # (werk v2)
# check_wmi_webservices: fix CurrentConnections monitoring
key | value
---------- | ---
date | 2024-04-02T06:44:07+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
The CurrentConnections metric was calculated "per second".
We now directly show the number of connections returned by the service.
[//]: # (werk v2)
# Remove websphere_mq plugin
key | value
---------- | ---
date | 2024-03-11T11:09:48+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
With this Werk the `websphere_mq` plugin is removed for security reasons.
In this plugin the output of `ps` is used to determine an argument for
`runmqsc`. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to `runmqsc`.
The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
*agent bakery* we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
__Affected versions__:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
__Mitigations__:
Migrate to the `ibm_mq` plugin.
__Vulnerability Management__:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`.
We assigned CVE-2024-3367 to this vulnerability.
__Changes__:
The plugin was removed.
[//]: # (werk v2)
# Crash on activate changes when re-registering agents
key | value
---------- | ---
date | 2024-03-28T15:50:10+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
When re-registering agents, a call to activate changes could crash with an error message like
```
[Errno 2] No such file or directory: '/omd/sites/<site>/var/agent-receiver/received-outputs/<uuid>
```
Werk 16180 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Ruleset API: Datamodel changes for Proxy FormSpec
key | value
---------- | ---
date | 2024-03-28T13:45:23+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
This only affects plugin developers using the new API `cmk.rulesets.v1`.
The datamodel for the `Proxy`, `Levels`, `TimePeriod` and `Password` Formspecs is changed.
Use the `migrate_to_...` migration function to update your stored configurations to the newer datamodel.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Ruleset API: Datamodel changes for Proxy FormSpec
key | value
---------- | ---
date | 2024-03-28T13:45:23+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 1
compatible | yes
- This only affects plugin developers.
- The datamodel for the `Proxy` Formspec is changed.
+ This only affects plugin developers using the new API `cmk.rulesets.v1`.
+ The datamodel for the `Proxy`, `Levels`, `TimePeriod` and `Password` Formspecs is changed.
- Use the `migrate_to_proxy` migration function to update your stored configurations to the newer datamodel.
? ^^^^^
+ Use the `migrate_to_...` migration function to update your stored configurations to the newer datamodel.
? ^^^
[//]: # (werk v2)
# Disallow python_plugins and lnx_remote_alert_handlers agent config options for users without the "add_or_modify_executables" permission
key | value
---------- | ---
date | 2024-03-15T10:37:41+00:00
version | 2.4.0b1
class | fix
edition | cre
component | wato
level | 1
compatible | yes
Without the "add_or_modify_executables" permission users do not have the right
to change any executable run by checkmk, either on the site or via the agent.
The agent config options "python_plugins" and "lnx_remote_alert_handlers" have
not yet checked for that permission.
In the UI "python_plugins" and "lnx_remote_alert_handlers are called
"Python agent plugin execution (UNIX)" and "Remote alert handler (Linux)" respectively.
Title: mk_oracle(ps1): Follow-up to privilege escalation fix
Class: fix
Compatible: incomp
Component: checks
Date: 1712314947
Edition: cre
Level: 2
Version: 2.1.0p42
You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows.
Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a
regression, thereby disrupting Oracle monitoring on Windows.
This Werk addresses above mentioned issue that affects versions 2.1.0p41,
2.2.0p24, and 2.3.0b4.
Since this release, Oracle monitoring on Windows is fully supported under
condition you use an account without administrator rights or the certain
executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if
presented, <tt>crsctl.exe</tt> are write-protected, with the possible
exception being the Administrator.
If you are unable or prefer not to use an unprivileged account then you may
need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>,
<tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator
user and group.
More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.