Checkmk werks level1

checkmk-werks-lvl1@lists.checkmk.com

1 participants
15873 discussions

[2.3.0] Checkmk Werk 16437 adapted: omd: Improve Runtime with Many Sites

by Checkmk werks level 1

Werk 16437 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # omd: Improve Runtime with Many Sites key | value ---------- | --- compatible | yes version | 2.3.0p11 date | 2024-07-04T08:44:52+00:00 level | 2 class | fix component | omd edition | cre With this Werk, all invocations of the <tt>omd</tt> command line tool are faster. This Werk should not affect behaviour in any other way. The performance improvements mostly affect hosts, which have a high number of sites. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # omd: Improve Runtime with Many Sites key | value ---------- | --- compatible | yes - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ date | 2024-07-04T08:44:52+00:00 level | 2 class | fix component | omd edition | cre With this Werk, all invocations of the <tt>omd</tt> command line tool are faster. This Werk should not affect behaviour in any other way. The performance improvements mostly affect hosts, which have a high number of sites.

2 months, 1 week

[2.3.0] Checkmk Werk 17072 adapted: Fix "Parsing of section rmon_stats failed" for Cisco SNMP devices

by Checkmk werks level 1

Werk 17072 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix "Parsing of section rmon_stats failed" for Cisco SNMP devices key | value ---------- | --- date | 2024-07-10T07:45:41+00:00 version | 2.3.0p11 class | fix edition | cre component | checks level | 1 compatible | no For certain Cisco devices, the _Check\_MK Discovery_ service and the service discovery page displayed the error message mentioned above. To solve this issue, users have to execute the _Remove all and find new_ action in the actions menu of the service discovery page for affected hosts. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix "Parsing of section rmon_stats failed" for Cisco SNMP devices key | value ---------- | --- date | 2024-07-10T07:45:41+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | checks level | 1 compatible | no For certain Cisco devices, the _Check\_MK Discovery_ service and the service discovery page displayed the error message mentioned above. To solve this issue, users have to execute the _Remove all and find new_ action in the actions menu of the service discovery page for affected hosts.

2 months, 1 week

[2.3.0] Checkmk Werk 17011 adapted: Fix local IP restriction of internal HTTP endpoints

by Checkmk werks level 1

Werk 17011 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix local IP restriction of internal HTTP endpoints key | value ---------- | --- date | 2024-06-19T13:46:09+00:00 version | 2.3.0p11 class | security edition | cre component | wato level | 1 compatible | yes Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page. These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications. Therefore these pages are protected to be only accessible locally. In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the `X-Forwarded-For` header. That header is added and complemented by `mod_proxy` and usually trustworthy. When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header. To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost. This mitigation failed due to some outdated configuration and wrong configuration ordering. This only affects systems which expose the site apache port to the network typically 5000. If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected! This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. **Affected Versions**: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (probably older versions as well) **Mitigations**: You can add the following configuration to the site apache configuration, e.g. `etc/apache/conf.d/zzz_werk17011.conf`: <Location "/###SITE###/check_mk/run_cron.py"> Order deny,allow Deny from all Require local Satisfy any </Location> # Webservice for graph images used by notifications <Location "/###SITE###/check_mk/ajax_graph_images.py"> Order deny,allow Deny from all Require local Satisfy any </Location> **Indicators of Compromise**: You can check the apache access log `var/log/apache/access_log` for calls to `run_cron.py` or `ajax_graph_images.py` from network hosts. E.g. `grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log` **Vulnerability Management**: We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`. We assigned CVE-2024-6163 to this vulnerability. **Changes**: This Werk fixes the configuration syntax and ordering. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix local IP restriction of internal HTTP endpoints key | value ---------- | --- date | 2024-06-19T13:46:09+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | security edition | cre component | wato level | 1 compatible | yes Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page. These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications. Therefore these pages are protected to be only accessible locally. In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the `X-Forwarded-For` header. That header is added and complemented by `mod_proxy` and usually trustworthy. When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header. To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost. This mitigation failed due to some outdated configuration and wrong configuration ordering. This only affects systems which expose the site apache port to the network typically 5000. If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected! This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH. **Affected Versions**: * 2.3.0 * 2.2.0 * 2.1.0 * 2.0.0 (probably older versions as well) **Mitigations**: You can add the following configuration to the site apache configuration, e.g. `etc/apache/conf.d/zzz_werk17011.conf`: <Location "/###SITE###/check_mk/run_cron.py"> Order deny,allow Deny from all Require local Satisfy any </Location> # Webservice for graph images used by notifications <Location "/###SITE###/check_mk/ajax_graph_images.py"> Order deny,allow Deny from all Require local Satisfy any </Location> **Indicators of Compromise**: You can check the apache access log `var/log/apache/access_log` for calls to `run_cron.py` or `ajax_graph_images.py` from network hosts. E.g. `grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log` **Vulnerability Management**: We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`. We assigned CVE-2024-6163 to this vulnerability. **Changes**: This Werk fixes the configuration syntax and ordering.

2 months, 1 week

[2.3.0] Checkmk Werk 17116 adapted: Fix unknown services for Nutanix Prism

by Checkmk werks level 1

Werk 17116 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix unknown services for Nutanix Prism key | value ---------- | --- date | 2024-07-10T14:20:49+00:00 version | 2.3.0p11 class | fix edition | cre component | checks level | 1 compatible | yes This fixes a regression introduced in Checkmk 2.3.0p7 that caused several services to vanish during discovery or go to UNKNOWN during checking. The affected plugins where * Nutanix Prism: General Info about a Cluster * Nutanix Prism: Cluster CPU * Nutanix Prism: Host IO * Nutanix Prism: Cluster Memory ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix unknown services for Nutanix Prism key | value ---------- | --- date | 2024-07-10T14:20:49+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | checks level | 1 compatible | yes This fixes a regression introduced in Checkmk 2.3.0p7 that caused several services to vanish during discovery or go to UNKNOWN during checking. The affected plugins where * Nutanix Prism: General Info about a Cluster * Nutanix Prism: Cluster CPU * Nutanix Prism: Host IO * Nutanix Prism: Cluster Memory

2 months, 1 week

[2.3.0] Checkmk Werk 17092 adapted: Fix missing CSRF token issues

by Checkmk werks level 1

Werk 17092 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix missing CSRF token issues key | value ---------- | --- date | 2024-07-03T09:07:10+00:00 version | 2.3.0p11 class | fix edition | cre component | wato level | 1 compatible | yes Werk #17090 in Checkmk 2.3.0p8 and 2.2.0p29 introduced additional CSRF token checks in the GUI. This caused some buttons to not work anymore because the CSRF token was missing, including, but likely not limited to: * "Synchronize users" in Setup > Users to manually trigger the LDAP sync (the background sync still runs) * "Show analysis" and "Show bulks" in Setup > Events > Notifications * Reordering notification rules via drag-and-drop in the same view * "Bake agents" in the agent bakery (as a workaround, use "Bake and sign agents") * "Acknowledge last baking result" when a bake job failed (as a workaround, delete the failed job instead) This Werk fixes the issues by adding the token. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix missing CSRF token issues key | value ---------- | --- date | 2024-07-03T09:07:10+00:00 - version | 2.3.0p9 ? ^ + version | 2.3.0p11 ? ^^ class | fix edition | cre component | wato level | 1 compatible | yes Werk #17090 in Checkmk 2.3.0p8 and 2.2.0p29 introduced additional CSRF token checks in the GUI. This caused some buttons to not work anymore because the CSRF token was missing, including, but likely not limited to: * "Synchronize users" in Setup > Users to manually trigger the LDAP sync (the background sync still runs) * "Show analysis" and "Show bulks" in Setup > Events > Notifications * Reordering notification rules via drag-and-drop in the same view * "Bake agents" in the agent bakery (as a workaround, use "Bake and sign agents") * "Acknowledge last baking result" when a bake job failed (as a workaround, delete the failed job instead) This Werk fixes the issues by adding the token.

2 months, 1 week

[2.3.0] Checkmk Werk 17081 adapted: Reduce risk of hanging processes

by Checkmk werks level 1

Werk 17081 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Reduce risk of hanging processes key | value ---------- | --- date | 2024-07-03T11:30:56+00:00 version | 2.3.0p11 class | fix edition | cce component | multisite level | 1 compatible | yes Currently files required for the licensing of Checkmk are locked for reading and writing. If a process does not release its acquired file lock for any reason, subsequent processes will continue to what for that lock, causing to the entire site to freeze. This locking mechanism has now been removed to reduce the risk of this happening. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Reduce risk of hanging processes key | value ---------- | --- date | 2024-07-03T11:30:56+00:00 - version | 2.3.0p9 ? ^ + version | 2.3.0p11 ? ^^ class | fix edition | cce component | multisite level | 1 compatible | yes Currently files required for the licensing of Checkmk are locked for reading and writing. If a process does not release its acquired file lock for any reason, subsequent processes will continue to what for that lock, causing to the entire site to freeze. This locking mechanism has now been removed to reduce the risk of this happening.

2 months, 1 week

[2.3.0] Checkmk Werk 17117 adapted: multipath: Allow for dots in the UUID

by Checkmk werks level 1

Werk 17117 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # multipath: Allow for dots in the UUID key | value ---------- | --- date | 2024-07-10T15:17:28+00:00 version | 2.3.0p11 class | fix edition | cre component | checks level | 1 compatible | yes Previously devices with dots in their UUID have not been discovered. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # multipath: Allow for dots in the UUID key | value ---------- | --- date | 2024-07-10T15:17:28+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | checks level | 1 compatible | yes Previously devices with dots in their UUID have not been discovered.

2 months, 1 week

[2.3.0] Checkmk Werk 17076 adapted: Fix float rule values not checking all validations

by Checkmk werks level 1

Werk 17076 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fix float rule values not checking all validations key | value ---------- | --- date | 2024-06-25T07:08:34+00:00 version | 2.3.0p11 class | fix edition | cre component | wato level | 1 compatible | no In Checkmk, it's possible for any rule value to specify custom validation functions to stop users from accidentally entering invalid data. Before this werk, the set of rule fields that allowed floating point values to be set in rare cases did not check these custom validation functions when setting up a rule. With this werk, we restore the expected functionality and check the validity of all floating point values in a rule. **Incompatibility** Some users might have created rules which should not have been valid. You will find out if such a rule is present in your setup when you update your site. The update process will raise an error warning you of any rule values that break custom validators. This error will tell you about the invalid rule and the reason it is invalid. Please abort the update process, fix the invalid value and restart the update process. **Plugin developers** If you have created a rule value with the `validate` (ValueSpec) or `custom_validate` (Form Spec) argument set, your rule will now correctly use provided functions to check the validity of the data. No change to the rule is necessary. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fix float rule values not checking all validations key | value ---------- | --- date | 2024-06-25T07:08:34+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | wato level | 1 compatible | no In Checkmk, it's possible for any rule value to specify custom validation functions to stop users from accidentally entering invalid data. Before this werk, the set of rule fields that allowed floating point values to be set in rare cases did not check these custom validation functions when setting up a rule. With this werk, we restore the expected functionality and check the validity of all floating point values in a rule. **Incompatibility** Some users might have created rules which should not have been valid. You will find out if such a rule is present in your setup when you update your site. The update process will raise an error warning you of any rule values that break custom validators. This error will tell you about the invalid rule and the reason it is invalid. Please abort the update process, fix the invalid value and restart the update process. **Plugin developers** If you have created a rule value with the `validate` (ValueSpec) or `custom_validate` (Form Spec) argument set, your rule will now correctly use provided functions to check the validity of the data. No change to the rule is necessary.

2 months, 1 week

[2.3.0] Checkmk Werk 17082 adapted: Fixed another instance of hanging processes

by Checkmk werks level 1

Werk 17082 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # Fixed another instance of hanging processes key | value ---------- | --- date | 2024-07-05T06:55:15+00:00 version | 2.3.0p11 class | fix edition | cce component | multisite level | 1 compatible | yes As explained in werk [#17080](https://checkmk.com/werk/17080) the wrong conditions could lead to processes not releasing crucial file locks and the site subsequently freezing. However, the werk did not address all the conditions. With this werk, the cleanup of open resources was improved, which together with werk [#17081](https://checkmk.com/werk/17081) fixes another instance of processes not releasing their locks. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # Fixed another instance of hanging processes key | value ---------- | --- date | 2024-07-05T06:55:15+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cce component | multisite level | 1 compatible | yes As explained in werk [#17080](https://checkmk.com/werk/17080) the wrong conditions could lead to processes not releasing crucial file locks and the site subsequently freezing. However, the werk did not address all the conditions. With this werk, the cleanup of open resources was improved, which together with werk [#17081](https://checkmk.com/werk/17081) fixes another instance of processes not releasing their locks.

2 months, 1 week

[2.3.0] Checkmk Werk 17091 adapted: missing error message for wrong backup key password

by Checkmk werks level 1

Werk 17091 was adapted. The following is the new Werk, a diff is shown at the end of the message. [//]: # (werk v2) # missing error message for wrong backup key password key | value ---------- | --- date | 2024-07-02T12:50:08+00:00 version | 2.3.0p11 class | fix edition | cre component | wato level | 1 compatible | yes When a wrong password was entered for downloading a backup encryption key or a signature key for signing agents, an empty error message box was displayed. Now, the error message is displayed correctly. ------------------------------------<diff>------------------------------------------- [//]: # (werk v2) # missing error message for wrong backup key password key | value ---------- | --- date | 2024-07-02T12:50:08+00:00 - version | 2.3.0p10 ? ^ + version | 2.3.0p11 ? ^ class | fix edition | cre component | wato level | 1 compatible | yes When a wrong password was entered for downloading a backup encryption key or a signature key for signing agents, an empty error message box was displayed. Now, the error message is displayed correctly.

2 months, 1 week

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Checkmk werks level1