ID: 15279
Title: Expose version and edition via HTTP-headers
Component: REST API
Level: 1
Class: New feature
Version: 2.3.0b1
The HTTP-headers "x-checkmk-edition" and "x-checkmk-version" are used to expose
the checkmk version and edition on all authenticated REST-API HTTP-responses.
ID: 14586
Title: gcp_status: Monitor GCP Status
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.3.0b1
With this werk, it is possible to monitor the GCP Health Dashboard,
available at https://status.cloud.google.com/. Since this
site is publicly available, no authentication is required for this
monitoring.
This feature consists of a special agent, agent_gcp_status, and a new
check, gcp_status. The special agent can be configured via the rule
Google Cloud Platform (GCP) Status.
ID: 15068
Title: Fix improper certificate validation in agent updater
Component: agents
Level: 1
Class: Security fix
Version: 2.3.0b1
The compiled version of the agent-updater uses its own collection of trusted Certificate Authorities.
This collection comes from the Python package certifi and is based on the collection of Mozilla Firefox.
The used Python package and therefore the collection was outdated and is subject to CVE-2022-23491.
This collection included a CA certificate of TrustCor which is not considered trustworthy anymore.
(See: https://security.googleblog.com/2023/01/sustaining-digital-certificate-secu…)
If an attacker was able to create certificates for arbitrary domains signed by this CA, machine-in-the-middle attacks could be possible.
To mitigate this vulnerability please update and rollout the agent-updater (typical agent-update is sufficient).
If an update is currently not possible one can set the <tt>Certificates for HTTPS verification</tt> option for the agent updater.
If this option is set a custom list of trusted certificates is used to verify the HTTPS connection instead of the CA collection.
All versions up to 1.6 are vulnerable.
This vulnerability was found internally.
We calculated a CVSS 3.1 score of 6.2 (medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:R
Please note that we rate this rather low since this is more a hypothetical attack and no wrong-doing of the CA was ever proven.
ID: 15067
Title: Show if user is locked
Component: Setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
With this Werk a user that is locked will be informed that the account is locked.
Previously it was only shown that the login was invalid and lead users to more login attempts.
ID: 13628
Title: Dashboards: New cloud dashboards for storage services on AWS, Azure and GCP
Component: Multisite
Level: 1
Class: New feature
Version: 2.3.0b1
ID: 15152
Title: Fix crash in mk-job.solaris
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
mk-job.solaris started crashing in version 2.1.p1 with an error:
"exit: : numeric argument required".
ID: 15149
Title: agent_azure: Fix crash if the metric isn't found
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
The Azure agent would crash if the metric wasn't available for a resource.
Now, the agent doesn't crash and retries to fetch available metrics.
ID: 15253
Title: Abort CMC startup if state file could not be read or parsed
Component: cmc
Level: 1
Class: Bug fix
Version: 2.3.0b1
This avoids simply continuing and creating a new state file, which loses all
comments, ad hoc downtimes, acknowledgements, etc.
Note that it is still OK when there is no state file at all, which is e.g.
the case when the CMC starts for the first time.
ID: 15384
Title: check_mk_agent: handle tabs when reading definitions from mrpe.cfg
Component: agents
Level: 1
Class: Bug fix
Version: 2.3.0b1
Prior to this werk, the Checkmk agent for linux, solaris and aix was not able to handle
tabs in the service definitions in the mrpe.cfg file. This werk resolves this issue and
correctly identifies the service description, command and optionally the time interval.
ID: 15238
Title: Too restrictive permission checking in service discovery
Component: Setup
Level: 1
Class: Bug fix
Version: 2.3.0b1
On the service discovery page some permissions where checked to restrictive.
For instance: A user that was not allowed to add "ignored" services, would also
be prevented from adding services to the monitoring.