Title: Fix local IP restriction of internal HTTP endpoints
Class: security
Compatible: compat
Component: wato
Date: 1718804769
Edition: cre
Level: 1
Version: 2.2.0p31
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the <code>X-Forwarded-For</code> header.
That header is added and complemented by <code>mod_proxy</code> and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (probably older versions as well)
<strong>Mitigations</strong>:
You can add the following configuration to the site apache configuration, e.g. <code>etc/apache/conf.d/zzz_werk17011.conf</code>:
C+:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
C-:
<strong>Indicators of Compromise</strong>:
You can check the apache access log <code>var/log/apache/access_log</code> for calls to <code>run_cron.py</code> or <code>ajax_graph_images.py</code> from network hosts.
E.g. <code>grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log</code>
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
<code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>.
We assigned CVE-2024-6163 to this vulnerability.
<strong>Changes</strong>:
This Werk fixes the configuration syntax and ordering.
Werk 16437 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.3.0p10
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
With this Werk, all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
mostly affect hosts, which have a high number of sites.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.3.0p10
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
- With this Werk, the all invocations of the <tt>omd</tt> command line tool are faster.
? ----
+ With this Werk, all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
- should largely affect hosts, which have a high number of sites.
? ^^^^^^^^^^^
+ mostly affect hosts, which have a high number of sites.
? ++ ^
+
[//]: # (werk v2)
# Fix problems on cloning built-in problems dashboard
key | value
---------- | ---
date | 2024-07-04T14:02:37+00:00
version | 2.3.0p10
class | fix
edition | cme
component | multisite
level | 1
compatible | yes
If you cloned the built-in dashboard "problems", the "Topic" section showed
"This element does not exist anymore".
Furthermore, if you edited the "Host statistics" or "Service statistics"
dashlet on the cloned dashboard, an error like "KeyError (size)" occurred.
[//]: # (werk v2)
# Fix local IP restriction of internal HTTP endpoints
key | value
---------- | ---
date | 2024-06-19T13:46:09+00:00
version | 2.3.0p10
class | security
edition | cre
component | wato
level | 1
compatible | yes
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the `X-Forwarded-For` header.
That header is added and complemented by `mod_proxy` and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
**Mitigations**:
You can add the following configuration to the site apache configuration, e.g. `etc/apache/conf.d/zzz_werk17011.conf`:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
**Indicators of Compromise**:
You can check the apache access log `var/log/apache/access_log` for calls to `run_cron.py` or `ajax_graph_images.py` from network hosts.
E.g. `grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log`
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`.
We assigned CVE-2024-6163 to this vulnerability.
**Changes**:
This Werk fixes the configuration syntax and ordering.
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.3.0p10
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
With this Werk, the all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
should largely affect hosts, which have a high number of sites.
[//]: # (werk v2)
# Show correct host alias in context of test notifications
key | value
---------- | ---
date | 2024-07-04T12:55:43+00:00
version | 2.3.0p10
class | fix
edition | cre
component | notifications
level | 1
compatible | yes
The hostname was shown instead of the alias in the context of a test
notification, even if an alias was defined for the host.
Werk 16437 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
With this Werk, all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
mostly affect hosts, which have a high number of sites.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
- With this Werk, the all invocations of the <tt>omd</tt> command line tool are faster.
? ----
+ With this Werk, all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
- should largely affect hosts, which have a high number of sites.
? ^^^^^^^^^^^
+ mostly affect hosts, which have a high number of sites.
? ++ ^
+
[//]: # (werk v2)
# omd: Improve Runtime with Many Sites
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-07-04T08:44:52+00:00
level | 2
class | fix
component | omd
edition | cre
With this Werk, the all invocations of the <tt>omd</tt> command line tool are faster.
This Werk should not affect behaviour in any other way. The performance improvements
should largely affect hosts, which have a high number of sites.
[//]: # (werk v2)
# Fix local IP restriction of internal HTTP endpoints
key | value
---------- | ---
date | 2024-06-19T13:46:09+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | yes
Checkmk has some complex functionalities that are hidden behind an internal HTTP endpoint page.
These pages are only meant to be accessed by internal processes, e.g. a cron runner or creating diagrams for notifications.
Therefore these pages are protected to be only accessible locally.
In order to recognize the client IP through the usage of a reverse proxy Checkmk uses the `X-Forwarded-For` header.
That header is added and complemented by `mod_proxy` and usually trustworthy.
When the site apache is exposed directly to the network though (e.g. the default docker setup) no proxy apache is there to curate this header.
To mitigate this the site apache is supposed to filter these internal page URIs to be only accessible by localhost.
This mitigation failed due to some outdated configuration and wrong configuration ordering.
This only affects systems which expose the site apache port to the network typically 5000.
If you run Checkmk behind a reverse proxy (the default if you installed a installation package) you are not affected!
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (probably older versions as well)
**Mitigations**:
You can add the following configuration to the site apache configuration, e.g. `etc/apache/conf.d/zzz_werk17011.conf`:
<Location "/###SITE###/check_mk/run_cron.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
# Webservice for graph images used by notifications
<Location "/###SITE###/check_mk/ajax_graph_images.py">
Order deny,allow
Deny from all
Require local
Satisfy any
</Location>
**Indicators of Compromise**:
You can check the apache access log `var/log/apache/access_log` for calls to `run_cron.py` or `ajax_graph_images.py` from network hosts.
E.g. `grep --extended-regexp "^[^-].+(run_cron|ajax_graph_images.py)" var/log/apache/access_log`
**Vulnerability Management**:
We have rated the issue with a CVSS Score of 5.3 (Medium) with the following CVSS vector:
`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`.
We assigned CVE-2024-6163 to this vulnerability.
**Changes**:
This Werk fixes the configuration syntax and ordering.
[//]: # (werk v2)
# Show correct host alias in context of test notifications
key | value
---------- | ---
date | 2024-07-04T12:55:43+00:00
version | 2.4.0b1
class | fix
edition | cre
component | notifications
level | 1
compatible | yes
The hostname was shown instead of the alias in the context of a test
notification, even if an alias was defined for the host.