Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15912 discussions

[2.2.0] Checkmk Werk 16234 created: Hide credentials in ps output for mk_oracle

by Checkmk werks level 1

Title: Hide credentials in ps output for mk_oracle Class: security Compatible: compat Component: checks Date: 1708454375 Edition: cre Level: 1 Version: 2.2.0p24 In the mk_oracle plugin <tt>sqlplus</tt> used to be called with the connection string as an argument. This connection string could contain credentials necessary to authenticate against the database. These arguments could be extracted by other users (e.g. with use of <tt>ps</tt>). This vulnerability was reported to us, we are not aware of any exploitations. <b>Affected Versions:</b> 2.2.0 2.1.0 2.0.0 (probably older versions as well) <b>Vulnerability Management:</b> We have rated the issue with a CVSS Score of 3.8 (Low) with the following CVSS vector: <tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</tt>. We assigned CVE-2024-1742 to this vulnerability. <b>Changes:</b> With this Werk the connection string is now piped via stdin to <tt>sqlplus</tt>.

6 months, 1 week

[2.1.0] Checkmk Werk 16232 created: mk_oracle(ps1): Prevent privilege esclation to root

by Checkmk werks level 1

Title: mk_oracle(ps1): Prevent privilege esclation to root Class: security Compatible: compat Component: checks Date: 1705479643 Edition: cre Level: 3 Version: 2.1.0p41 The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user. A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user. All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl. <h3>Affected Versions</h3> LI: 2.3.0 (beta) LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (EOL) and older <h3>Mitigations</h3> If updating is not possible, disable the mk_oracle plugin. <h3>Vulnerability Management</h3> We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code> We have assigned <code>CVE-2024-0638</code>. <h3>Changes</h3> All called binaries are now executed in a safe way.

6 months, 1 week

[2.2.0] Checkmk Werk 15320 adapted: heartbeat_crm_resources: unmanaged stopped resources could not go critical

by Checkmk werks level 1

Werk 15320 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical Class: fix Compatible: compat Component: checks Date: 1706189999 Edition: cre Level: 1 Version: 2.2.0p25 Stopped resources are marked <code>CRIT</code>. If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>. ------------------------------------<diff>------------------------------------------- Title: heartbeat_crm_resources: unmanaged stopped resources could not go critical Class: fix Compatible: compat Component: checks Date: 1706189999 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ Stopped resources are marked <code>CRIT</code>. If a resources was stopped and unmanaged, it was not marked as <code>CRIT</code>.

6 months, 1 week

[2.2.0] Checkmk Werk 16362 adapted: Update Python version for Windows agent

by Checkmk werks level 1

Werk 16362 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 Version: 2.2.0p25 When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners. ------------------------------------<diff>------------------------------------------- Title: Update Python version for Windows agent Class: security Compatible: compat Component: checks Date: 1709283564 Edition: cee Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ When agent plugins are configured for a windows agent the baked package for windows contains a Python version. This version is updated from 3.11.7 to 3.11.8. This contains an update from openssl 3.0.11 to 3.0.13 and a fix for: * CVE-2024-0727 * CVE-2023-6237 * CVE-2023-6129 * CVE-2023-5678 * CVE-2023-5363 To our knowledge none of these vulnerabilities were exploitable in this setup. We rate this with a CVSS of 0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N). This CVSS is primarily meant to please automatic scanners.

6 months, 1 week

[2.2.0] Checkmk Werk 16460 adapted: Cisco Meraki: Fix getting cached organisation IDs

by Checkmk werks level 1

Werk 16460 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Cisco Meraki: Fix getting cached organisation IDs Class: fix Compatible: compat Component: checks Date: 1710420761 Edition: cre Level: 1 Version: 2.2.0p25 ------------------------------------<diff>------------------------------------------- Title: Cisco Meraki: Fix getting cached organisation IDs Class: fix Compatible: compat Component: checks Date: 1710420761 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^

6 months, 1 week

[2.2.0] Checkmk Werk 16242 adapted: Kill forked processes by mk_oracle under AIX

by Checkmk werks level 1

Werk 16242 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: Kill forked processes by mk_oracle under AIX Class: fix Compatible: compat Component: checks Date: 1709728993 Edition: cre Level: 1 Version: 2.2.0p25 The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>. In order to reliable clean up stale processes, we kill now the whole process chain under AIX which corresponds to the stored <code>PID</code>. We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS. ------------------------------------<diff>------------------------------------------- Title: Kill forked processes by mk_oracle under AIX Class: fix Compatible: compat Component: checks Date: 1709728993 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ The agent plugin <code>mk_oracle</code> creates forked processes, e.g. from <code>sqlplus</code>. In order to reliable clean up stale processes, we kill now the whole process chain under AIX which corresponds to the stored <code>PID</code>. We introduce this only for <code>AIX</code> now as we have customers which are affected under that OS.

6 months, 1 week

[2.2.0] Checkmk Werk 16210 adapted: folder_config: Prevent unintentional deletion of a non-empty folder

by Checkmk werks level 1

Werk 16210 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: folder_config: Prevent unintentional deletion of a non-empty folder Class: fix Compatible: incomp Component: rest-api Date: 1704965695 Edition: cre Level: 1 Version: 2.2.0p25 Prior to this Werk, the REST API could delete non-empty folders without any further check. With this Werk, the endpoint now accepts the <strong>delete_method</strong> query parameter. The possible values are: - <strong>recursive</strong>: Deletes the folder and all the elements it contains. - <strong>abort_on_nonempty</strong>: Deletes the folder only if it is not empty If no delete_method is provided, <strong>recursive</strong> is asumed and the behaviour is the same as before this Werk. The enpoint will return a 409 status code when trying to delete a folder that contains hosts, rules, subfolders or is referenced by another object. Use example: <code>curl -X 'DELETE' 'http://example.com/my_site/check_mk/api/1.0/objects/folder_config/my_folder…' -H 'accept: <em>/</em></code> ------------------------------------<diff>------------------------------------------- Title: folder_config: Prevent unintentional deletion of a non-empty folder Class: fix Compatible: incomp Component: rest-api Date: 1704965695 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ Prior to this Werk, the REST API could delete non-empty folders without any further check. With this Werk, the endpoint now accepts the <strong>delete_method</strong> query parameter. The possible values are: - <strong>recursive</strong>: Deletes the folder and all the elements it contains. - <strong>abort_on_nonempty</strong>: Deletes the folder only if it is not empty If no delete_method is provided, <strong>recursive</strong> is asumed and the behaviour is the same as before this Werk. The enpoint will return a 409 status code when trying to delete a folder that contains hosts, rules, subfolders or is referenced by another object. Use example: <code>curl -X 'DELETE' 'http://example.com/my_site/check_mk/api/1.0/objects/folder_config/my_folder…' -H 'accept: <em>/</em></code>

6 months, 1 week

[2.2.0] Checkmk Werk 16340 adapted: docker_node_images: KeyError: 'VirtualSize'

by Checkmk werks level 1

Werk 16340 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: docker_node_images: KeyError: 'VirtualSize' Class: fix Compatible: compat Component: checks Date: 1709742514 Edition: cre Level: 1 Version: 2.2.0p25 In newer versions of the Docker API the information about the 'VirtualSize' of a node image is not available, because it has been deprecated. From now on the plugin will use 'VirtualSize' if available, and 'Size' if not. ------------------------------------<diff>------------------------------------------- Title: docker_node_images: KeyError: 'VirtualSize' Class: fix Compatible: compat Component: checks Date: 1709742514 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ In newer versions of the Docker API the information about the 'VirtualSize' of a node image is not available, because it has been deprecated. From now on the plugin will use 'VirtualSize' if available, and 'Size' if not.

6 months, 1 week

[2.2.0] Checkmk Werk 16197 adapted: quantum_libsmall_*: Improve SNMP detection

by Checkmk werks level 1

Werk 16197 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: quantum_libsmall_*: Improve SNMP detection Class: fix Compatible: compat Component: checks Date: 1709035896 Edition: cre Level: 1 Version: 2.2.0p25 Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product". ------------------------------------<diff>------------------------------------------- Title: quantum_libsmall_*: Improve SNMP detection Class: fix Compatible: compat Component: checks Date: 1709035896 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ Currently the SNMP detection for <code>quantum_libsmall_status</code> and <code>quantum_libsmall_door</code> checks if "linux" and "library" are contained in the sysDescr and sysLocation OIDs. To make the detection more reliable, the sysObjectID is checked against the linux object identifier and the libraryProductName .1.3.6.1.4.1.3697.1.10.10.1.10.0 against "Quantum Small Library Product".

6 months, 1 week

[2.2.0] Checkmk Werk 16179 adapted: size_trend: Treat negative free space as 0 in all cases

by Checkmk werks level 1

Werk 16179 was adapted. The following is the new Werk, a diff is shown at the end of the message. Title: size_trend: Treat negative free space as 0 in all cases Class: fix Compatible: compat Component: checks Date: 1710929049 Edition: cre Level: 1 Version: 2.2.0p25 Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of devices reporting negative free space. With werk 16330, we stopped reporting the metric in case of very small size changes because it lead to infinite values. With this change the behavior was unintentionally also changed for negative free space values. This werk restores the same functionality in case of negative free space. ------------------------------------<diff>------------------------------------------- Title: size_trend: Treat negative free space as 0 in all cases Class: fix Compatible: compat Component: checks Date: 1710929049 Edition: cre Level: 1 - Version: 2.2.0p24 ? ^ + Version: 2.2.0p25 ? ^ Before the version 2.2.0p21, 'Time left until full' was reported to be 0 in case of devices reporting negative free space. With werk 16330, we stopped reporting the metric in case of very small size changes because it lead to infinite values. With this change the behavior was unintentionally also changed for negative free space values. This werk restores the same functionality in case of negative free space.

6 months, 1 week

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1