ID: 14281
Title: Fix local privilege escalation from site users
Component: Site Management
Level: 1
Class: Security fix
Version: 2.2.0i1
Each Checkmk site provides it's HTTP services (UI, APIs) using it's own site
Apache process. Global access to this site Apache is provided via the system
Apache which is opening the 80 and 443 ports for external requests, depending
on your system configuration.
To learn about the site Apache, the system Apache reads a reverse proxy
configuration provided by the site user. This could be used by a site user to
make the system Apache execute code as root user, since the System Apache is
typically started initially with root privileges.
To close this gap, we now need to separate the system Apache configuration from
the site user access.
To eliminate the privilege escalation, you will have to execute the command
<tt>omd update-apache-config [SITE]</tt> once for each of your sites after
the <tt>omd update</tt> command.
Besides the one-time fix, this change has a consequence for the use of <tt>omd
config</tt> and <tt>omd update</tt>. There are two situations where this is
relevant:
a) If you change the options APACHE_TCP_ADDR, APACHE_TCP_PORT or APACHE_MODE
You will have to call <tt>omd update-apache-config [SITE]</tt> as root user after
changing one of the site configuration options APACHE_TCP_ADDR, APACHE_TCP_PORT
or APACHE_MODE. This needs to be done to update and apply the system Apache
configuration. If you don't do this and start your site, your UI may be not
available anymore.
The <tt>omd config</tt> command will output a warning to notify you about this
necessary step in the future.
b) If you execute <tt>omd update</tt> and the proxy configuration changes
The update is performed as site user. Which means that, after this werk, we can
not update and apply the system apache configuration anymore automatically.
To apply the latest apache configuration, the command <tt>omd
update-apache-config [SITE]</tt> needs to be executed after the update.
The <tt>omd update</tt> will automatically detect the need for this additional
step and show you a confirmation dialog before starting the update to notify
you about this necessary step and giving you the chance to interrupt the
procedure in case you don't have the option to execute the command as root
user.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely
that also previous versions were vulnerable. Users of previous versions are
highly recommended to update or consider other mitigations.
If you want to solve this issue for a site that is using an unpatched version,
you can do it by replacing the file <tt>/omd/apache/[SITE].conf</tt> with a
file like follows. Please note, that you will have to replace all occurrences
<tt>[SITE]</tt> with the ID of your site and <tt>[PORT]</tt> with the port of
the site apache. After you replaced the file, you will have to restart the
system Apache.
C+
# version: 0
# Make sure that symlink /omd does not make problems
<Directory />
Options +FollowSymlinks
</Directory>
<IfModule mod_proxy_http.c>
ProxyRequests Off
ProxyPreserveHost On
<Proxy http://127.0.0.1:[PORT]/[SITE]>
Order allow,deny
allow from all
</Proxy>
<Location /[SITE]>
# Setting "retry=0" to prevent 60 second caching of problem states e.g. when
# the site apache is down and someone tries to access the page.
# "disablereuse=On" prevents the apache from keeping the connection which leads to
# wrong devlivered pages sometimes
ProxyPass http://127.0.0.1:[PORT]/[SITE] retry=0 disablereuse=On timeout=120
ProxyPassReverse http://127.0.0.1:[PORT]/[SITE]
</Location>
</IfModule>
<IfModule !mod_proxy_http.c>
Alias /[SITE] /omd/sites/[SITE]
<Directory /omd/sites/[SITE]>
Deny from all
ErrorDocument 403 "<h1>Checkmk: Incomplete Apache Installation</h1>You need mod_proxy and
mod_proxy_http in order to run the web interface of Checkmk."
</Directory>
</IfModule>
<Location /[SITE]>
ErrorDocument 503 "<meta http-equiv='refresh' content='60'><h1>Checkmk: Site Not Started</h1>You need to start this site in order to access the web interface.<!-- IE shows its own short useless error message otherwise: placeholder -->"
</Location>
C-:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 7.0
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/…)
CVE will be added later.
We thank Jan-Philipp Litza (PLUTEX GmbH) for reporting this issue!
ID: 14287
Title: Fix another source for frozen Microcore during config reloads (Addition to #14285)
Component: Core & setup
Level: 1
Class: Bug fix
Version: 2.2.0i1
In addition to the werk #14285 we released with 2.1.0p8, this werk fixes
another situation which could block the reload of the Microcore.
This could happen in case you have notification rules configured which use the
match condition "Match only during timeperiod".
ID: 14379
Title: Change how secrets are masked for logging
Component: Setup
Level: 1
Class: New feature
Version: 2.2.0i1
When changing rules that contain passwords or SSH private keys, those secrets are now masked as '*' characters instead of hashes in the audit log.
ID: 14528
Title: SAP HANA backup check in cluster mode: go stale if cannot connect to DB
Component: Checks & agents
Level: 1
Class: Bug fix
Version: 2.2.0i1
Before this werk, if the connection to a database failed, the SAP HANA
Backup service in a cluster host was marked as OK.
This is now changed and the service goes stale.
ID: 14454
Title: "NetApp Filer: Used Space of LUNs" supports magic factor
Component: Checks & agents
Level: 1
Class: New feature
Version: 2.2.0i1
The plugin "NetApp Filer: Used Space of LUNs" (<tt>netapp_api_luns</tt>) now supports the configuration of the magic factor in its ruleset <i>"NetApp LUNs"</i>.
ID: 14146
Title: Rule matching for hosts
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
The search for host rules in Setup did not work as expected when matching host regex conditions.
The issue did not affect the rule matching visualization nor the actual rule matching.
When checking the matching rules for hosts the rules with regular expressions
would not get a green background although the regex should match, which indicates
the rule is not matching the current search.
Now the rule matching is fixed and the rules will get a green background if they match the search.
ID: 14499
Title: activate changes: performance issues when synchronising users and user settings
Component: Multisite
Level: 1
Class: Bug fix
Version: 2.2.0i1
The activate changes process could be slow when activating changes for multiple
sites in a distributed monitoring set-up. The activation would eventually run
into an error similar to "Failed to start activation [502]: Proxy Error". This
was due to the implementation that synchronises users and user settings across
all sites. Instead of copying these files in their entirety, a hard link is now
created, reducing I/O on the monitoring server.
ID: 14286
Title: mail: Add timeout to graph processing of HTML mail notifications
Component: Notifications
Level: 1
Class: Bug fix
Version: 2.2.0i1
In case fetching the graphs takes more than 10 seconds, the notification plugin
aborts waiting for the graphs and continues to send the notification without
graphs.
ID: 14285
Title: Fix frozen Microcore (Livestatus not responding) during config reloads
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
The reload of the Microcore core and it's helper processed could freeze when
the core had notifications pending during reload. This was caused by a deadlock
between the Notification helper and the Microcore. The Microcore was still
alive but waiting to the notification helper to terminate while the
notification helper waited for the Microcore.
>From the user perspective this resulted in Livestatus not being responsive
while the cmc.log showed a message like: <tt>still X unsent events, sending
them now</tt>.