Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15873 discussions

[2.3.0] Checkmk Werk 16562 adapted: Fix automatic host registration and removal in case one remote site is not logged in

by Checkmk werks level 1

Werk 16562 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix automatic host registration and removal in case one remote site is not logged in key | value ---------- | --- date | 2024-07-08T06:09:01+00:00 version | 2.3.0p11 class | fix edition | cre component | wato level | 1 compatible | yes The automatic host registration and removal jobs are executed regularly in the background to add or remove hosts. These are fundamental mechanisms to the automatic host registration. The jobs failed completely in case one remote site was configured but not logged in, not only affecting the not logged in site, but all sites. The not logged in site is now being skipped, leaving the mechanism intact for all other sites. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix automatic host registration and removal in case one remote site is not logged in key | value ---------- | --- date | 2024-07-08T06:09:01+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | wato level | 1 compatible | yes The automatic host registration and removal jobs are executed regularly in the background to add or remove hosts. These are fundamental mechanisms to the automatic host registration. The jobs failed completely in case one remote site was configured but not logged in, not only affecting the not logged in site, but all sites. The not logged in site is now being skipped, leaving the mechanism intact for all other sites.

2 months, 1 week

[2.3.0] Checkmk Werk 17010 adapted: XSS in SQL check parameters

by Checkmk werks level 1

Werk 17010 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # XSS in SQL check parameters key | value ---------- | --- date | 2024-06-17T10:08:19+00:00 version | 2.3.0p11 class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk an attacher could add HTML to one parameter of the *Check SQL database* rule which was executed on the overview page. We found this vulnerability internally. **Affected Versions**: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well) **Indicators of Compromis**: The creation of such rules is logged in the audit log. You can therefore check the `wato_audit.log` either on the terminal or in the UI for entries that contain malicious HTML. **Vulnerability Management**: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L` We assigned CVE-2024-6052 to this vulnerability. **Changes**: This Werk fixes the escaping. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # XSS in SQL check parameters key | value ---------- | --- date | 2024-06-17T10:08:19+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | security edition | cre component | wato level | 1 compatible | yes Prior to this Werk an attacher could add HTML to one parameter of the *Check SQL database* rule which was executed on the overview page. We found this vulnerability internally. **Affected Versions**: LI: 2.3.0 LI: 2.2.0 LI: 2.1.0 LI: 2.0.0 (probably older versions as well) **Indicators of Compromis**: The creation of such rules is logged in the audit log. You can therefore check the `wato_audit.log` either on the terminal or in the UI for entries that contain malicious HTML. **Vulnerability Management**: We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L` We assigned CVE-2024-6052 to this vulnerability. **Changes**: This Werk fixes the escaping.

2 months, 1 week

[2.3.0] Checkmk Werk 16753 adapted: HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster

by Checkmk werks level 1

Werk 16753 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster key | value ---------- | --- date | 2024-07-01T14:32:58+00:00 version | 2.3.0p11 class | fix edition | cre component | multisite level | 1 compatible | yes ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # HW/SW Inventory: Fix missing joined service columns if a service is assigned to a cluster key | value ---------- | --- date | 2024-07-01T14:32:58+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | multisite level | 1 compatible | yes

2 months, 1 week

[2.3.0] Checkmk Werk 16863 adapted: proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer

by Checkmk werks level 1

Werk 16863 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer key | value ---------- | --- compatible | yes version | 2.3.0p11 date | 2024-06-28T14:34:01+00:00 level | 1 class | fix component | checks edition | cre The backup log format changed in Proxmox version 3.2.4 which resulted in a crash in the Proxmox special agent. The special agent can now handle both old and the new format of backup log messages. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # proxmox: Fix log parsing crash for Proxmox versions 3.2.4 and newer key | value ---------- | --- compatible | yes - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ date | 2024-06-28T14:34:01+00:00 level | 1 class | fix component | checks edition | cre The backup log format changed in Proxmox version 3.2.4 which resulted in a crash in the Proxmox special agent. The special agent can now handle both old and the new format of backup log messages.

2 months, 1 week

[2.3.0] Checkmk Werk 17031 adapted: TrippLite UPS: discover devices with .1.3.6.1.4.1.850.1 as sysObjectID

by Checkmk werks level 1

Werk 17031 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # TrippLite UPS: discover devices with .1.3.6.1.4.1.850.1 as sysObjectID key | value ---------- | --- date | 2024-06-26T16:13:34+00:00 version | 2.3.0p11 class | feature edition | cre component | checks level | 1 compatible | yes TrippLite UPSs use OID .1.3.6.1.4.1.850.1 as sysObjectID. These devices are currently not discovered and monitored. This has now been changed and they will be discovered. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # TrippLite UPS: discover devices with .1.3.6.1.4.1.850.1 as sysObjectID key | value ---------- | --- date | 2024-06-26T16:13:34+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | feature edition | cre component | checks level | 1 compatible | yes TrippLite UPSs use OID .1.3.6.1.4.1.850.1 as sysObjectID. These devices are currently not discovered and monitored. This has now been changed and they will be discovered.

2 months, 1 week

[2.3.0] Checkmk Werk 17063 adapted: Delete PDF tmp files older one day

by Checkmk werks level 1

Werk 17063 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Delete PDF tmp files older one day key | value ---------- | --- date | 2024-07-08T07:04:56+00:00 version | 2.3.0p11 class | fix edition | cre component | wato level | 1 compatible | yes Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted files older 48hours. Now files older than one day are deleted. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Delete PDF tmp files older one day key | value ---------- | --- date | 2024-07-08T07:04:56+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | wato level | 1 compatible | yes Werk #15125 introduced a cleanup mechanism for old PFD tmp files but deleted files older 48hours. Now files older than one day are deleted.

2 months, 1 week

[2.3.0] Checkmk Werk 17061 adapted: Show correct host alias in context of test notifications

by Checkmk werks level 1

Werk 17061 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Show correct host alias in context of test notifications key | value ---------- | --- date | 2024-07-04T12:55:43+00:00 version | 2.3.0p11 class | fix edition | cre component | notifications level | 1 compatible | yes The hostname was shown instead of the alias in the context of a test notification, even if an alias was defined for the host. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Show correct host alias in context of test notifications key | value ---------- | --- date | 2024-07-04T12:55:43+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | notifications level | 1 compatible | yes The hostname was shown instead of the alias in the context of a test notification, even if an alias was defined for the host.

2 months, 1 week

[2.3.0] Checkmk Werk 16439 adapted: redis: Add Log Rotation

by Checkmk werks level 1

Werk 16439 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # redis: Add Log Rotation key | value ---------- | --- date | 2024-07-08T06:33:26+00:00 version | 2.3.0p11 class | fix edition | cre component | omd level | 1 compatible | yes Previously, the file `var/log/redis-server.log` would not be rotated. If you are unable to upgrade, you can adjust the file in `$OMD_ROOT/etc/logrotate.d/redis`. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # redis: Add Log Rotation key | value ---------- | --- date | 2024-07-08T06:33:26+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | omd level | 1 compatible | yes Previously, the file `var/log/redis-server.log` would not be rotated. If you are unable to upgrade, you can adjust the file in `$OMD_ROOT/etc/logrotate.d/redis`.

2 months, 1 week

[2.3.0] Checkmk Werk 16434 adapted: Synthetic Monitoring: Privilege Escalation

by Checkmk werks level 1

Werk 16434 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Synthetic Monitoring: Privilege Escalation key | value ---------- | --- date | 2024-06-24T14:56:31+00:00 version | 2.3.0p11 class | security edition | cee component | agents level | 1 compatible | yes The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit the issue, if 1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule, 2. the same plan was configured without configuring `Execute plan as a specific user` 3. and a user on the host, onto which the scheduler has been deployed, was compromised. In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM. There is a second similar, but distinct issue. If - there are two or more plans configured with `Execute plan as a specific user` with distinct users - and one of the configured users was already compromised. The attacker could then compromise the other user. *Background*: The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges. Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all users on the host to edit these Python environments. Thus, any compromised user on the host is also able to compromise a user, which executes code from these shared environments. With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their access to the vulnerable Python environments revoked. Moreover, the permissions inside of the working directory of Robotmk have been reworked. Users now only have access to directories, which are required for their own executions. Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler. *Affected Versions*: * 2.3.0 *Mitigations*: If updating is not possible: * Do not use the rule `Automated environment setup (via RCC)`. * Always use the same user for `Execute plan as a specific user`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. CVE-2024-39934 has been assigned to this issue. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Synthetic Monitoring: Privilege Escalation key | value ---------- | --- date | 2024-06-24T14:56:31+00:00 - version | 2.3.0p8 ? ^ + version | 2.3.0p11 ? ^^ class | security edition | cee component | agents level | 1 compatible | yes The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit the issue, if 1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule, 2. the same plan was configured without configuring `Execute plan as a specific user` 3. and a user on the host, onto which the scheduler has been deployed, was compromised. In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM. There is a second similar, but distinct issue. If - there are two or more plans configured with `Execute plan as a specific user` with distinct users - and one of the configured users was already compromised. The attacker could then compromise the other user. *Background*: The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges. Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all users on the host to edit these Python environments. Thus, any compromised user on the host is also able to compromise a user, which executes code from these shared environments. With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their access to the vulnerable Python environments revoked. Moreover, the permissions inside of the working directory of Robotmk have been reworked. Users now only have access to directories, which are required for their own executions. Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler. *Affected Versions*: * 2.3.0 *Mitigations*: If updating is not possible: * Do not use the rule `Automated environment setup (via RCC)`. * Always use the same user for `Execute plan as a specific user`. *Vulnerability Management*: We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. CVE-2024-39934 has been assigned to this issue.

2 months, 1 week

[2.3.0] Checkmk Werk 16438 adapted: Filesystem: Use MiB instead of MB in Check Summary

by Checkmk werks level 1

Werk 16438 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Filesystem: Use MiB instead of MB in Check Summary key | value ---------- | --- date | 2024-07-04T09:29:10+00:00 version | 2.3.0p11 class | fix edition | cre component | checks level | 1 compatible | yes In version 2.3.0, the Filesystem Checks have been adapted to render bytes in the format `11.1 kb`. This has been changed back to `10.9 KiB`. This is how it was rendered in the 2.2.0. It also consistent with the graphs used by these checks. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Filesystem: Use MiB instead of MB in Check Summary key | value ---------- | --- date | 2024-07-04T09:29:10+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | checks level | 1 compatible | yes In version 2.3.0, the Filesystem Checks have been adapted to render bytes in the format `11.1 kb`. This has been changed back to `10.9 KiB`. This is how it was rendered in the 2.2.0. It also consistent with the graphs used by these checks.

2 months, 1 week

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1