Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15969 discussions

Checkmk Werk 14281: Fix local privilege escalation from site users

by Lars Michelsen

ID: 14281 Title: Fix local privilege escalation from site users Component: Site Management Level: 1 Class: Security fix Version: 2.2.0i1 Each Checkmk site provides it's HTTP services (UI, APIs) using it's own site Apache process. Global access to this site Apache is provided via the system Apache which is opening the 80 and 443 ports for external requests, depending on your system configuration. To learn about the site Apache, the system Apache reads a reverse proxy configuration provided by the site user. This could be used by a site user to make the system Apache execute code as root user, since the System Apache is typically started initially with root privileges. To close this gap, we now need to separate the system Apache configuration from the site user access. To eliminate the privilege escalation, you will have to execute the command <tt>omd update-apache-config [SITE]</tt> once for each of your sites after the <tt>omd update</tt> command. Besides the one-time fix, this change has a consequence for the use of <tt>omd config</tt> and <tt>omd update</tt>. There are two situations where this is relevant: a) If you change the options APACHE_TCP_ADDR, APACHE_TCP_PORT or APACHE_MODE You will have to call <tt>omd update-apache-config [SITE]</tt> as root user after changing one of the site configuration options APACHE_TCP_ADDR, APACHE_TCP_PORT or APACHE_MODE. This needs to be done to update and apply the system Apache configuration. If you don't do this and start your site, your UI may be not available anymore. The <tt>omd config</tt> command will output a warning to notify you about this necessary step in the future. b) If you execute <tt>omd update</tt> and the proxy configuration changes The update is performed as site user. Which means that, after this werk, we can not update and apply the system apache configuration anymore automatically. To apply the latest apache configuration, the command <tt>omd update-apache-config [SITE]</tt> needs to be executed after the update. The <tt>omd update</tt> will automatically detect the need for this additional step and show you a confirmation dialog before starting the update to notify you about this necessary step and giving you the chance to interrupt the procedure in case you don't have the option to execute the command as root user. All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable. Users of previous versions are highly recommended to update or consider other mitigations. If you want to solve this issue for a site that is using an unpatched version, you can do it by replacing the file <tt>/omd/apache/[SITE].conf</tt> with a file like follows. Please note, that you will have to replace all occurrences <tt>[SITE]</tt> with the ID of your site and <tt>[PORT]</tt> with the port of the site apache. After you replaced the file, you will have to restart the system Apache. C+ # version: 0 # Make sure that symlink /omd does not make problems <Directory /> Options +FollowSymlinks </Directory> <IfModule mod_proxy_http.c> ProxyRequests Off ProxyPreserveHost On <Proxy http://127.0.0.1:[PORT]/[SITE]> Order allow,deny allow from all </Proxy> <Location /[SITE]> # Setting "retry=0" to prevent 60 second caching of problem states e.g. when # the site apache is down and someone tries to access the page. # "disablereuse=On" prevents the apache from keeping the connection which leads to # wrong devlivered pages sometimes ProxyPass http://127.0.0.1:[PORT]/[SITE] retry=0 disablereuse=On timeout=120 ProxyPassReverse http://127.0.0.1:[PORT]/[SITE] </Location> </IfModule> <IfModule !mod_proxy_http.c> Alias /[SITE] /omd/sites/[SITE] <Directory /omd/sites/[SITE]> Deny from all ErrorDocument 403 "<h1>Checkmk: Incomplete Apache Installation</h1>You need mod_proxy and mod_proxy_http in order to run the web interface of Checkmk." </Directory> </IfModule> <Location /[SITE]> ErrorDocument 503 "<meta http-equiv='refresh' content='60'><h1>Checkmk: Site Not Started</h1>You need to start this site in order to access the web interface." </Location> C-: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 7.0 (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/…) CVE will be added later. We thank Jan-Philipp Litza (PLUTEX GmbH) for reporting this issue!

2 years, 2 months

Checkmk Werk 14287: Fix another source for frozen Microcore during config reloads (Addition to #14285)

by Lars Michelsen

ID: 14287 Title: Fix another source for frozen Microcore during config reloads (Addition to #14285) Component: Core & setup Level: 1 Class: Bug fix Version: 2.2.0i1 In addition to the werk #14285 we released with 2.1.0p8, this werk fixes another situation which could block the reload of the Microcore. This could happen in case you have notification rules configured which use the match condition "Match only during timeperiod".

2 years, 2 months

Checkmk Werk 14379: Change how secrets are masked for logging

by Hannes Rantzsch

ID: 14379 Title: Change how secrets are masked for logging Component: Setup Level: 1 Class: New feature Version: 2.2.0i1 When changing rules that contain passwords or SSH private keys, those secrets are now masked as '*' characters instead of hashes in the audit log.

2 years, 2 months

Checkmk Werk 14528: SAP HANA backup check in cluster mode: go stale if cannot connect to DB

by Giordano Tomassorri

ID: 14528 Title: SAP HANA backup check in cluster mode: go stale if cannot connect to DB Component: Checks & agents Level: 1 Class: Bug fix Version: 2.2.0i1 Before this werk, if the connection to a database failed, the SAP HANA Backup service in a cluster host was marked as OK. This is now changed and the service goes stale.

2 years, 2 months

Checkmk Werk 14454: "NetApp Filer: Used Space of LUNs" supports magic factor

by Moritz Kiemer

ID: 14454 Title: "NetApp Filer: Used Space of LUNs" supports magic factor Component: Checks & agents Level: 1 Class: New feature Version: 2.2.0i1 The plugin "NetApp Filer: Used Space of LUNs" (<tt>netapp_api_luns</tt>) now supports the configuration of the magic factor in its ruleset <i>"NetApp LUNs"</i>.

2 years, 2 months

Checkmk Werk 14146: Rule matching for hosts

by Lukas Lengler

ID: 14146 Title: Rule matching for hosts Component: Multisite Level: 1 Class: Bug fix Version: 2.2.0i1 The search for host rules in Setup did not work as expected when matching host regex conditions. The issue did not affect the rule matching visualization nor the actual rule matching. When checking the matching rules for hosts the rules with regular expressions would not get a green background although the regex should match, which indicates the rule is not matching the current search. Now the rule matching is fixed and the rules will get a green background if they match the search.

2 years, 2 months

Checkmk Werk 14499: activate changes: performance issues when synchronising users and user settings

by Lisa Pichler

ID: 14499 Title: activate changes: performance issues when synchronising users and user settings Component: Multisite Level: 1 Class: Bug fix Version: 2.2.0i1 The activate changes process could be slow when activating changes for multiple sites in a distributed monitoring set-up. The activation would eventually run into an error similar to "Failed to start activation [502]: Proxy Error". This was due to the implementation that synchronises users and user settings across all sites. Instead of copying these files in their entirety, a hard link is now created, reducing I/O on the monitoring server.

2 years, 2 months

Checkmk Werk 14286: mail: Add timeout to graph processing of HTML mail notifications

by Lars Michelsen

ID: 14286 Title: mail: Add timeout to graph processing of HTML mail notifications Component: Notifications Level: 1 Class: Bug fix Version: 2.2.0i1 In case fetching the graphs takes more than 10 seconds, the notification plugin aborts waiting for the graphs and continues to send the notification without graphs.

2 years, 2 months

Checkmk Werk 14285: Fix frozen Microcore (Livestatus not responding) during config reloads

by Lars Michelsen

ID: 14285 Title: Fix frozen Microcore (Livestatus not responding) during config reloads Component: Core & setup Level: 2 Class: Bug fix Version: 2.2.0i1 The reload of the Microcore core and it's helper processed could freeze when the core had notifications pending during reload. This was caused by a deadlock between the Notification helper and the Microcore. The Microcore was still alive but waiting to the notification helper to terminate while the notification helper waited for the Microcore. >From the user perspective this resulted in Livestatus not being responsive while the cmc.log showed a message like: <tt>still X unsent events, sending them now</tt>.

2 years, 2 months

Checkmk Werk 14284: Notification spooler: Fix producing corrupted spool files

by Lars Michelsen

ID: 14284 Title: Notification spooler: Fix producing corrupted spool files Component: Notifications Level: 1 Class: Bug fix Version: 2.2.0i1 The Notification Spooler could create corrupted spool files which resulted in error messages like this in the <tt>var/log/mknotifyd.log</tt> log: C+: 2022-07-18 21:49:14,276 [40] [cmk.mknotifyd] Corrupted spoolfile /omd/sites/stable/var/check_mk/notify/spool/ccaae1d5-8b33-403c-bbd8-e1b8796035ca: Traceback (most recent call last): File "/omd/sites/stable/lib/python3/cmk/cee/mknotifyd/spool_handler.py", line 70, in _process_spool_directory content: Message = evaluate_file(spoolfile_path) File "/omd/sites/stable/lib/python3/cmk/cee/mknotifyd/utils.py", line 50, in evaluate_file return ast.literal_eval(f.read()) File "/omd/sites/stable/lib/python3.9/ast.py", line 62, in literal_eval node_or_string = parse(node_or_string, mode='eval') File "/omd/sites/stable/lib/python3.9/ast.py", line 50, in parse return compile(source, filename, mode, flags, File "<unknown>", line 0 SyntaxError: unexpected EOF while parsing 2022-07-18 21:49:14,728 [20] [cmk.mknotifyd] got exit code 2 2022-07-18 21:49:14,728 [40] [cmk.mknotifyd] exception handling notification result 2 for 82bcd0e5-5d28-4162-9f46-84d008e1d73d: Traceback (most recent call last): File "/omd/sites/stable/lib/python3/cmk/cee/mknotifyd/notification_queue.py", line 129, in _handle_result content = evaluate_file(path.joinpath(filename)) File "/omd/sites/stable/lib/python3/cmk/cee/mknotifyd/utils.py", line 50, in evaluate_file return ast.literal_eval(f.read()) File "/omd/sites/stable/lib/python3.9/ast.py", line 62, in literal_eval node_or_string = parse(node_or_string, mode='eval') File "/omd/sites/stable/lib/python3.9/ast.py", line 50, in parse return compile(source, filename, mode, flags, File "<unknown>", line 0 SyntaxError: unexpected EOF while parsing C-: The <tt>var/log/notify.log</tt> could also show errors in this situation, with messages like this: C+: 2022-07-18 20:40:55,960 [40] [cmk.base.notify] ERROR: Traceback (most recent call last): File "/omd/sites/stable/lib/python3/cmk/base/notify.py", line 1765, in handle_spoolfile raw_context = data["context"] KeyError: 'context' C-:

2 years, 2 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1