Title: mk_oracle(ps1): Follow-up to privilege escalation fix
Class: fix
Compatible: incomp
Component: checks
Date: 1712314947
Edition: cre
Level: 2
Version: 2.2.0p25
You might be affected by this Werk if you use <tt>mk_oracle</tt> on Windows.
Werk <a href="https://checkmk.com/werk/16232">Werk #16232</a> introduced a
regression, thereby disrupting Oracle monitoring on Windows.
This Werk addresses above mentioned issue that affects versions 2.1.0p41,
2.2.0p24, and 2.3.0b4.
Since this release, Oracle monitoring on Windows is fully supported under
condition you use an account without administrator rights or the certain
executable binaries, <tt>sqlplus.exe</tt>, <tt>tnsping.exe</tt> and, if
presented, <tt>crsctl.exe</tt> are write-protected, with the possible
exception being the Administrator.
If you are unable or prefer not to use an unprivileged account then you may
need to adjust permissions for above mentioned binaries: remove <tt>Write</tt>,
<tt>Full Control</tt> and <tt>Modify</tt> permissions for any non-Administrator
user and group.
More information about can be found at <a href="https://checkmk.atlassian.net/wiki/x/AQA1B">here</a>.
Title: kube_persistent_volume_claim: resolve KeyError crash when Volume parameters are configured
Class: fix
Compatible: compat
Component: checks
Date: 1712140230
Edition: cre
Level: 1
Version: 2.2.0p25
Before this update, configuring 'Volume parameters' in the PVC check plugin led to a crash. This
issue arose because the plugin was not designed to process trend size-related levels, which,
however, were anticipated by the general filesystem function handler shared among filesystem-related
check plugins. To resolve this, the general function has been modified to bypass trend computation
when a trend rule is not set, a scenario always applicable to the PVC check plugin.
[//]: # (werk v2)
# Fixed association of contacts with hosts/services/contactgroups
key | value
---------- | ---
date | 2024-04-05T13:48:37+00:00
version | 2.4.0b1
class | fix
edition | cre
component | livestatus
level | 3
compatible | yes
Checkmk 2.3 beta introduced a regression regarding contacts when
then Nagios core was used: The association of contacts with hosts,
services and contact groups was incorrect. A symptom of this bug
were e.g. missing hosts or services in the GUI.
[//]: # (werk v2)
# kube_persistent_volume_claim: resolve KeyError crash when Volume parameters are configured
key | value
---------- | ---
date | 2024-04-03T10:30:30+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
Before this update, configuring 'Volume parameters' in the PVC check plugin led to a crash. This
issue arose because the plugin was not designed to process trend size-related levels, which,
however, were anticipated by the general filesystem function handler shared among filesystem-related
check plugins. To resolve this, the general function has been modified to bypass trend computation
when a trend rule is not set, a scenario always applicable to the PVC check plugin.
[//]: # (werk v2)
# Fix XSS in graph rendering
key | value
---------- | ---
date | 2024-04-04T14:24:50+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Prior to this Werk a service name with html tags lead to cross site scripting in the graph rendering.
We found this vulnerability internally.
**Affected Versions**:
Only 2.3.0 is affected, older versions are NOT affected.
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 4.6 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N`.
We assigned CVE-2024-2380 to this vulnerability.
**Changes**:
This Werk changes the encoding engine to use our customized JSON encoder.
Title: Enforcing password change redirect with 2FA enabled
Class: fix
Compatible: compat
Component: wato
Date: 1712242054
Edition: cre
Level: 1
Version: 2.2.0p25
Before this werk, the site failed to redirect users to the
"Change Password" page following a successful login when
two-factor authentication (2FA) was enabled. This werk resolves
the issue by ensuring that, after completing 2FA, users are now
redirected correctly.
Title: notifications: Fix plugin permissions not loaded automatically
Class: fix
Compatible: compat
Component: notifications
Date: 1711549357
Edition: cre
Level: 1
Version: 2.2.0p25
Previously, it was possible for users with the "Notification configuration"
permission to edit notification rules even if they did not have the permission
to the plugin that was being used in the rule. When such a user edited
such a rule, they were able to overwrite the notification plugin with
any plugin they were allowed to use.
This werk stops users from editing rules that use notification plugins
they don't have access to.