Title: Hide credentials in ps output for mk_oracle
Class: security
Compatible: compat
Component: checks
Date: 1708454375
Edition: cre
Level: 1
Version: 2.2.0p24
In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument.
This connection string could contain credentials necessary to authenticate against the database.
These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>).
This vulnerability was reported to us, we are not aware of any exploitations.
<b>Affected Versions:</b>
2.2.0
2.1.0
2.0.0 (probably older versions as well)
<b>Vulnerability Management:</b>
We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>.
We assigned CVE-2024-1742 to this vulnerability.
<b>Changes:</b>
With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.1.0p41
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
Werk 15320 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical
Class: fix
Compatible: compat
Component: checks
Date: 1706189999
Edition: cre
Level: 1
Version: 2.2.0p25
Stopped resources are marked <code>CRIT</code>.
If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.
------------------------------------<diff>-------------------------------------------
Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical
Class: fix
Compatible: compat
Component: checks
Date: 1706189999
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
Stopped resources are marked <code>CRIT</code>.
If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.
Werk 16362 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Update Python version for Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1709283564
Edition: cee
Level: 1
Version: 2.2.0p25
When agent plugins are configured for a windows agent the baked package for windows contains a Python version.
This version is updated from 3.11.7 to 3.11.8.
This contains an update from openssl 3.0.11 to 3.0.13 and a fix for:
* CVE-2024-0727
* CVE-2023-6237
* CVE-2023-6129
* CVE-2023-5678
* CVE-2023-5363
To our knowledge none of these vulnerabilities were exploitable in this setup.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.
------------------------------------<diff>-------------------------------------------
Title: Update Python version for Windows agent
Class: security
Compatible: compat
Component: checks
Date: 1709283564
Edition: cee
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
When agent plugins are configured for a windows agent the baked package for windows contains a Python version.
This version is updated from 3.11.7 to 3.11.8.
This contains an update from openssl 3.0.11 to 3.0.13 and a fix for:
* CVE-2024-0727
* CVE-2023-6237
* CVE-2023-6129
* CVE-2023-5678
* CVE-2023-5363
To our knowledge none of these vulnerabilities were exploitable in this setup.
We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.
Werk 16242 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Kill forked processes by mk_oracle under AIX
Class: fix
Compatible: compat
Component: checks
Date: 1709728993
Edition: cre
Level: 1
Version: 2.2.0p25
The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>.
In order to reliable clean up stale processes, we kill now the whole process chain under AIX
which corresponds to the stored <code>PID</code>.
We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS.
------------------------------------<diff>-------------------------------------------
Title: Kill forked processes by mk_oracle under AIX
Class: fix
Compatible: compat
Component: checks
Date: 1709728993
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>.
In order to reliable clean up stale processes, we kill now the whole process chain under AIX
which corresponds to the stored <code>PID</code>.
We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS.
Werk 16210 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: folder_config: Prevent unintentional deletion of a non-empty folder
Class: fix
Compatible: incomp
Component: rest-api
Date: 1704965695
Edition: cre
Level: 1
Version: 2.2.0p25
Prior to this Werk, the REST API could delete non-empty folders without any further check. With this Werk, the endpoint now accepts the <strong>delete_method</strong> query parameter. The possible values are:
- <strong>recursive</strong>: Deletes the folder and all the elements it contains.
- <strong>abort_on_nonempty</strong>: Deletes the folder only if it is not empty
If no delete_method is provided, <strong>recursive</strong> is asumed and the behaviour is the same as before this Werk.
The enpoint will return a 409 status code when trying to delete a folder that contains hosts, rules, subfolders or is referenced by another object.
Use example:
<code>curl -X 'DELETE' 'http://example.com/my_site/check_mk/api/1.0/objects/folder_config/my_folder…' -H 'accept: <em>/</em></code>
------------------------------------<diff>-------------------------------------------
Title: folder_config: Prevent unintentional deletion of a non-empty folder
Class: fix
Compatible: incomp
Component: rest-api
Date: 1704965695
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
Prior to this Werk, the REST API could delete non-empty folders without any further check. With this Werk, the endpoint now accepts the <strong>delete_method</strong> query parameter. The possible values are:
- <strong>recursive</strong>: Deletes the folder and all the elements it contains.
- <strong>abort_on_nonempty</strong>: Deletes the folder only if it is not empty
If no delete_method is provided, <strong>recursive</strong> is asumed and the behaviour is the same as before this Werk.
The enpoint will return a 409 status code when trying to delete a folder that contains hosts, rules, subfolders or is referenced by another object.
Use example:
<code>curl -X 'DELETE' 'http://example.com/my_site/check_mk/api/1.0/objects/folder_config/my_folder…' -H 'accept: <em>/</em></code>
Werk 16340 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: docker_node_images: KeyError: 'VirtualSize'
Class: fix
Compatible: compat
Component: checks
Date: 1709742514
Edition: cre
Level: 1
Version: 2.2.0p25
In newer versions of the Docker API the information about the 'VirtualSize' of a node image is not available, because it has been deprecated.
From now on the plugin will use 'VirtualSize' if available, and 'Size' if not.
------------------------------------<diff>-------------------------------------------
Title: docker_node_images: KeyError: 'VirtualSize'
Class: fix
Compatible: compat
Component: checks
Date: 1709742514
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
In newer versions of the Docker API the information about the 'VirtualSize' of a node image is not available, because it has been deprecated.
From now on the plugin will use 'VirtualSize' if available, and 'Size' if not.
Werk 16197 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: quantum_libsmall_*: Improve SNMP detection
Class: fix
Compatible: compat
Component: checks
Date: 1709035896
Edition: cre
Level: 1
Version: 2.2.0p25
Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product".
------------------------------------<diff>-------------------------------------------
Title: quantum_libsmall_*: Improve SNMP detection
Class: fix
Compatible: compat
Component: checks
Date: 1709035896
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product".
Werk 16179 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: size_trend: Treat negative free space as 0 in all cases
Class: fix
Compatible: compat
Component: checks
Date: 1710929049
Edition: cre
Level: 1
Version: 2.2.0p25
Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of
devices reporting negative free space.
With werk 16330, we stopped reporting the metric in case of very small size changes
because it lead to infinite values. With this change the behavior was unintentionally
also changed for negative free space values.
This werk restores the same functionality in case of negative free space.
------------------------------------<diff>-------------------------------------------
Title: size_trend: Treat negative free space as 0 in all cases
Class: fix
Compatible: compat
Component: checks
Date: 1710929049
Edition: cre
Level: 1
- Version: 2.2.0p24
? ^
+ Version: 2.2.0p25
? ^
Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of
devices reporting negative free space.
With werk 16330, we stopped reporting the metric in case of very small size changes
because it lead to infinite values. With this change the behavior was unintentionally
also changed for negative free space values.
This werk restores the same functionality in case of negative free space.