ID: 16041
Title: New permissions "Discard changes" and "Discard foreign changes"
Component: Setup
Level: 1
Class: New feature
Version: 2.3.0b1
We introduce two new permissions that let administrators allow/disallow users to discard changes.
LI: "Discard changes" lets a user discard their own pending changes; defaults to "yes" for the role "normal monitoring user".
LI: "Discard foreign changes" lets a user discard other users' pending changes (foreign changes); defaults to "no" for the role "normal monitoring user".
You can find the two permissions for any role under <ii>Setup > Users > Roles & permissions</tt> in the section "Setup".
ID: 15868
Title: cpu_loads, blade_bx_load, wmi_cpuload: Configurable levels for other load averaging types
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
The check plugins
LI: <i>CPU load</i> (<tt>cpu_loads</tt>)
LI: <i>Primergy BX600 Blade Enclosure: CPU Load</i> (<tt>blade_bx_load</tt>)
LI: <i>Windows CPU Load</i> (<tt>wmi_cpuload</tt>)
show and allow configuration of levels for the 15 minutes average of
the CPU load.
These plugins now also show (in the service details only) the one and five
minutes average of the load, and allow configuration of levels for them.
ID: 16015
Title: ldap: resolve error when saving LDAP connection config with global customer
Component: Setup
Level: 1
Class: Bug fix
Version: 2.2.0p8
Prior to this werk, Checkmk raised an error whenever the user attempted to create
a LDAP connection config with the customer option set to "Global". This werk resolves
this issue.
ID: 14612
Title: CheckMK Server discovers wrong items as service
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0p8
Due to missing grouping delimiter `Failed Fencing Actions` the `heartbeat_crm` would discover invalid
items as service.
This change adds the missing delimiter making `heartbeat_crm` discover valid items only.
ID: 15705
Title: Warning about agent updater rule on CME remote site update
Component: Setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
When updating a remote site in a distributed site setup using the
Checkmk Managed Services Edition, the update process may issue a
warning like this:
C+:
-| WARNING: Invalid rule configuration detected (Ruleset: agent_config:cmk_update_agent, Title: Agent updater (Linux, Windows, Solaris), Folder: ,
-| Rule nr: 1, Exception: -----BEGIN CERTIFICATE-----
-| MII...
-| ...HqQ==
-| -----END CERTIFICATE-----
-| is not an allowed value)
-| Detected 1 issue(s) in configured rules.
-| To correct these issues, we recommend to open the affected rules in the GUI.
-| Upon attempting to save them, any problematic fields will be highlighted.
C-:
The root cause for this warning is that on the CME remote site, the underlying
agent signing certificates are not available, so the ruleset referring to them
can't be verified.
As a workaround you can safely ignore this warning, since the <i>cmk_update_agent</i>
rule is never used on a remote site.
However, from now on the warning won't be displayed any longer.
ID: 15691
Title: Fix XSS in business intelligence
Component: Setup
Level: 1
Class: Security fix
Version: 2.3.0b1
Prior to this Werk it was possible to inject HTML or Javascript (Reflected XSS).
A legitimate user tricked to click on a prepared link would then run arbitrary Javascript code in a valid session.
This vulnerability is only triggerable if another <i>Business Intelligence</i> <i>BI pack</i> (next to the default) was created.
We found this vulnerability internally.
<b>Affected Versions</b>:
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
LI: 1.6.0 (probably older versions as well)
<b>Indicators of Compromise</b>:
To check for exploitation one can check the site apache access log <tt>var/log/apache/access_log</tt> for entries like <tt>/$SITENAME/check_mk/wato.py?mode=bi_aggregations&bulk_moveto=</tt>.
The order of the URL paramters can be changed by an attacker.
Potential injected code would be in the parameter <tt>bulk_moveto</tt>.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 5.4 (Medium) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N</tt>.
We assigned CVE-2023-23548 to this vulnerability.
<b>Changes</b>:
This Werk introduces escaping for the vulnerable parameter.
ID: 15931
Title: Enable scrolling for sidebar element dashlets
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.3.0b1
Scrolling was not possible in sidebar element dashlets, e.g. the quicksearch
snapin.
ID: 16029
Title: Renamed MobileIron to Ivanti Neurons for MDM
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
MobileIron exists both as an on-premises and cloud version.
The included integration only applied for MobileIron Cloud,
which was not apparent by the name of the checks etc.
In the meantime, MobileIron was acquired and MobileIron Cloud was
renamed to Ivanti Neurons for MDM. This is now being properly
reflected in Checkmk.
ID: 16031
Title: ntop: interface and vlan dropdown
Component: ntopng_integration
Level: 1
Class: Bug fix
Version: 2.3.0b1
When selecting a new interface or vlan id via the dropdown
the data was not automatically updated and the page had to
be refreshed manually.
Now the data is updated after selecting the interface or vlan.