Title: Licensing: Improve process of applying a license for non-running CMC
Class: fix
Compatible: compat
Component: wato
Date: 1704978855
Edition: cce
Level: 1
Version: 2.2.0p19
In werk #16194 an issue was fixed where the UI was not reachable to apply a license when the CMC is not running.
However, if the core was not running due to a license issue, a new core configuration would have to be generated in order to restart the core.
This has been improved so that the core can now be started without further interaction.
[//]: # (werk v2)
# Licensing: Improve process of applying a license for non-running CMC
key | value
---------- | ---
date | 2024-01-11T13:14:15+00:00
version | 2.3.0b1
class | fix
edition | cce
component | wato
level | 1
compatible | yes
In werk #16194 an issue was fixed where the UI was not reachable to apply a license when the CMC is not running.
However, if the core was not running due to a license issue, a new core configuration would have to be generated in order to restart the core.
This has been improved so that the core can now be started without further interaction.
[//]: # (werk v2)
# New livestatus column performance_data
key | value
---------- | ---
date | 2024-01-12T06:35:01+00:00
version | 2.3.0b1
class | feature
edition | cre
component | livestatus
level | 1
compatible | yes
The hosts and services tables have a new column named
`performance_data` that returns a mapping where the keys
are the names of metrics and values are the numeric values
of the performance data.
For example,
```
OMD[heute]:~$ lq << EOF
> GET services
> Columns: description performance_data
> Filter: description = CPU load
> OutputFormat: python
> EOF
[["CPU load",{"load5":0.64,"load1":0.62,"load15":1.13}]]
```
[//]: # (werk v2)
# New option to test notification rulesets
key | value
---------- | ---
date | 2024-01-11T12:12:45+00:00
version | 2.3.0b1
class | feature
edition | cre
component | notifications
level | 2
compatible | yes
Previously, you could only test your notification rulesets using the "Analyze"
option against a limited set of notifications in the backlog or with the "Fake
check result" command.
We now introduce the possibility to define a custom notification and test it
against your rulesets. The option can be found in "Setup" - "Notifications" -
"Test notifications".
In the popup, select whether you want to test on a host or a service
notification. Select the host and service (if you want to test on a service
notification) and the type of simulation. Currently supported are 'Start of
downtime" and "Status change". Optionally, you can specify a custom plugin
output.
A checkbox allows you to decide whether to test only (default) or to send a
real notification according to your notification rules.
Within the 'Advanced condition simulation' options you can set a custom
notification date and time to test period matching and the notification number.
Title: Disabled automation users could still authenticate
Class: security
Compatible: incomp
Component: wato
Date: 1702309789
Edition: cre
Level: 1
Version: 2.1.0p38
Prior to this Werk an automation user whose password was disabled also described as "disable the login to this account" was still able to authenticate.
The information that a user was disabled was not checked for automation users.
We found this vulnerability internally.
<b>Affected Versions</b>:
* 2.2.0
* 2.1.0
* 2.0.0
* 1.6.0
* 1.5.0 (probably older versions as well)
<b>Mitigations</b>:
If the need arises to block an automation user one can change the password or remove that user from the system.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31211 to this vulnerability.
<b>Changes</b>:
This Werk adds a check for the disabled information. During update you will be warned if a automation user is currently disabled.
Title: Local privilege escalation in agent plugin 'mk_tsm'
Class: security
Compatible: incomp
Component: checks
Date: 1702411459
Edition: cre
Level: 1
Version: 2.1.0p38
By crafting a malicious command that then shows up in the output of <code>ps</code> users of monitored hosts could gain root privileges.
This was achieved by exploiting the insufficient quoting when using ksh's <code>eval</code> to create the required environment.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the Tivoli Storage Manager plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6735</code>.
<h3>Changes</h3>
With this change we no longer use <code>eval</code> and fixe the quoting.
This prevents variable exports being missinterpreted as commands to execute.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.1.0p38
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: check_mk_agent: Set LC_ALL before running the agent
Class: fix
Compatible: compat
Component: checks
Date: 1704190188
Edition: cre
Level: 1
Version: 2.1.0p38
Previously, Checkmk agents would be run with a preset LC_ALL
environment variable if neither C.UTF-8 or C.utf-8 locales were
installed.
That led to invalid agent output and crashes in section parsing
in multiple checks for some of the locales.
Linux, AIX, Solaris, FreeBSD and OpenWrt agents were affected.
Now, LC_ALL variable is set to C for the described case.
Werk 16164 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: veeam_cdp_jobs: Handle last sync time from the future
Class: fix
Compatible: compat
Component: checks
Date: 1703838299
Edition: cre
Level: 1
Version: 2.1.0p38
Previously, the veeam_cdp_jobs would crash when receiving last
sync time from the future with a message:
C+:
raise ValueError("Cannot render negative timespan")
C-:
Now, the affected service will be in state WARN and report the following message:
C+:
"The timestamp of the file is in the future. Please investigate your host times"
C-:
------------------------------------<diff>-------------------------------------------
Title: veeam_cdp_jobs: Handle last sync time from the future
Class: fix
Compatible: compat
Component: checks
Date: 1703838299
Edition: cre
Level: 1
Version: 2.1.0p38
Previously, the veeam_cdp_jobs would crash when receiving last
sync time from the future with a message:
C+:
raise ValueError("Cannot render negative timespan")
C-:
- Now, the time since the last job run will be 0 for such cases.
+ Now, the affected service will be in state WARN and report the following message:
+ C+:
+ "The timestamp of the file is in the future. Please investigate your host times"
+ C-: