Title: HW/SW Inventory: Fix error while merging inventory and status data tables if one is empty
Class: fix
Compatible: compat
Component: inv
Date: 1702281903
Edition: cre
Level: 1
Version: 2.2.0p18
Title: Privilege escalation in Agent
Class: security
Compatible: compat
Component: checks
Date: 1701938773
Edition: cre
Level: 2
Version: 2.2.0p17
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk.
Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries.
To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent.
Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
<b>Affected Versions</b>:
* since 2.2.0p10
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31210 to this vulnerability.
<b>Changes</b>:
This Werk changes the library path from the site to the version files, which are only root-writable.
Werk 16033 was deleted. The following Werk is no longer relevant.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p17
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Werk 16033 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p17
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
------------------------------------<diff>-------------------------------------------
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
- Version: 2.2.0p16
? ^
+ Version: 2.2.0p17
? ^
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.2.0p16
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Title: Rework of "Add to" option in views
Class: feature
Compatible: compat
Component: multisite
Date: 1702393252
Edition: cre
Level: 1
Version: 2.3.0b1
The option to add views to e.g. dashboards can now be found within the "Export"
dropdown.
A popup will show an autocompleter dropdown where you can select the target.
Title: Improve Symmetric Agent Encryption on Linux
Class: feature
Compatible: compat
Component: checks
Date: 1702055121
Edition: cre
Level: 1
Version: 2.3.0b1
This Werk improves the agent's built-in symmetric encryption for Linux hosts.
The new encryption scheme adds authentication of the encrypted data and improves the method used to derive cryptographic key material from the shared secret configured in the rule.
To use the new encryption scheme, OpenSSL >= 1.0.0, better OpenSSL >= 1.1.1, must be available on the host.
For testing and debugging purposes, a bash script to decrypt the agent's output can be found in the Checkmk repository under `doc/treasures/agent_legacy_encryption/decrypt.sh`.
Older encryption schemes can still be decrypted by the Checkmk site.
**Important disclaimers:**
If the Agent Controller with TLS encryption is available, use that instead.
The build-in symmetric encryption should only be used if TLS is not available.
Moreover, there is no advantage in using both.
Disable the symmetric encryption if you can use TLS.
The security of this encryption scheme strongly depends on the security of the shared secret configured in the rule.
Use a long, random secret.
Title: Unable to create crash report
Class: fix
Compatible: compat
Component: checks
Date: 1701086091
Edition: cre
Level: 1
Version: 2.3.0b1
When custom check plugins that used tuples as dictionary keys in the section crashed,
the crash creation failed and crashed itself.
Now the crash creation no longer fails and the crash is created successfully.
Title: Improvement of "Schedule downtimes" command dialog
Class: feature
Compatible: compat
Component: multisite
Date: 1702297650
Edition: cre
Level: 1
Version: 2.3.0b1
The command dialog for setting downtimes in views was reworked to improve
usability.
The different options can now be set from the top to the bottom and only one
submit button is used to schedule a downtime.
Preset durations can be set within the section "Duration". Own presets can be
set via the "Edit presets" link.
The start and end time can no optionally be set via a time- and datepicker.
Advanced options are bundled within an own section.