[//]: # (werk v2)
# Hanging background jobs/frozen site
key | value
---------- | ---
date | 2024-06-26T12:45:00+00:00
version | 2.4.0b1
class | fix
edition | cee
component | multisite
level | 1
compatible | yes
Background jobs could previously hang without ever finishing under the wrong conditions. This could lead to the entire site freezing if the job had acquired crucial file locks (i.e. a lock on licensing files).
This is usually accompanied by the error
```
Bad file descriptor
```
in the logs.
[//]: # (werk v2)
# agent_netapp_ontap: Fix TypeError for SnapVault
key | value
---------- | ---
date | 2024-06-26T11:18:02+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 1
compatible | yes
Previously, `agent_netapp_ontap` would crash if the API returned any `SnapMirror` objects:
```
File "/omd/sites/mysite/local/lib/python3/cmk/special_agents/agent_netapp_ontap.py", line 827, in write_sections
write_section("snapvault", fetch_snapmirror(connection), logger)
File "/omd/sites/mysite/local/lib/python3/cmk/special_agents/agent_netapp_ontap.py", line 32, in write_section
writer.append_json(element.model_dump(exclude_unset=True, exclude_none=False))
File "/omd/sites/mysite/lib/python3/cmk/special_agents/v0_unstable/agent_common.py", line 62, in append_json
self.writeline(json.dumps(data, sort_keys=True))
File "/omd/sites/mysite/lib/python3.12/json/__init__.py", line 238, in dumps
**kw).encode(obj)
File "/omd/sites/mysite/lib/python3.12/json/encoder.py", line 200, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/omd/sites/mysite/lib/python3.12/json/encoder.py", line 258, in iterencode
return _iterencode(o, 0)
File "/omd/sites/mysite/lib/python3.12/json/encoder.py", line 180, in default
raise TypeError(f'Object of type {o.__class__.__name__} '
```
Title: Preserve search term after deletion of topics, bookmarks or custom sidebar elements
Class: fix
Compatible: compat
Component: multisite
Date: 1718097357
Edition: cre
Level: 1
Version: 2.2.0p28
Recently, deleting topics, bookmarks or custom sidebar elements under "Customize" led to a page reload that ignored a given inpage search ("Find on this page ...").
This is fixed to preserving the search term after deletion.
Title: Use correct filter for virtual host tree links
Class: fix
Compatible: compat
Component: multisite
Date: 1719321845
Edition: cre
Level: 1
Version: 2.2.0p28
Since 2.2.0 the virtual host tree links for "Show the service problems
contained in this branch" missed the filters for "service states"
(WARN/CRIT/UNKN) and "downtimes" (no).
[//]: # (werk v2)
# Mitigate timing-unsafe comparisons to prevent byte-by-byte brute forcing attack
key | value
---------- | ---
date | 2024-06-25T10:10:15+00:00
version | 2.3.0p8
class | security
edition | cee
component | agents
level | 1
compatible | yes
A theorical brute force attack could be performed due to timing-unsafe secrets comparison.
This fix changes the way secrets are verified in communication with the agent.
To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
[//]: # (werk v2)
# Use correct filter for virtual host tree links
key | value
---------- | ---
compatible | yes
version | 2.3.0p8
date | 2024-06-25T13:24:05+00:00
level | 1
class | fix
component | multisite
edition | cre
Since 2.2.0 the virtual host tree links for "Show the service problems
contained in this branch" missed the filters for "service states"
(WARN/CRIT/UNKN) and "downtimes" (no).
[//]: # (werk v2)
# Synthetic Monitoring: Privilege Escalation
key | value
---------- | ---
date | 2024-06-24T14:56:31+00:00
version | 2.3.0p8
class | security
edition | cee
component | agents
level | 1
compatible | yes
The Robotmk scheduler was affected by a privilege escalation issue. This issue affects users, which
have configured the rule `Robotmk scheduler (Windows)`. Specifically, an attacker is able to exploit
the issue, if
1. `Automated environment setup (via RCC)` was configured in the `Robotmk scheduler (Windows)` rule,
2. the same plan was configured without configuring `Execute plan as a specific user`
3. and a user on the host, onto which the scheduler has been deployed, was compromised.
In this event, the attacker could gain SYSTEM privileges on the host. If `Execute plan as a specific
user` _is_ configured, then the attacker could compromise that specific user, rather than SYSTEM.
There is a second similar, but distinct issue. If
- there are two or more plans configured with `Execute plan as a specific user` with distinct users
- and one of the configured users was already compromised.
The attacker could then compromise the other user.
*Background*:
The Robotmk scheduler is started by the Checkmk agent that runs with SYSTEM privileges.
Moreover, Robotmk allows the user to automatically build Python environments via RCC. During setup
the scheduler would enable a RCC feature called `shared holotree usage`. This feature allows all
users on the host to edit these Python environments. Thus, any compromised user on the host is also
able to compromise a user, which executes code from these shared environments.
With this Werk, `shared holotree usage` will no longer be enabled. Affected users will have their
access to the vunerable Python environments revoked. Moreover, the permissions inside of the working
directory of Robotmk have been reworked. Users now only have access to directories, which are
required for their own executions.
Note, you must update both Checkmk and redeploy the latest Robotmk Scheduler.
*Affected Versions*:
* 2.3.0
*Mitigations*:
If updating is not possible:
* Do not use the rule `Automated environment setup (via RCC)`.
* Always use the same user for `Execute plan as a specific user`.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 7.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` and requested a CVE.
[//]: # (werk v2)
# Synthetic Monitoring: Report RCC Profile Configuration Errors
key | value
---------- | ---
date | 2024-06-24T14:12:42+00:00
version | 2.3.0p8
class | fix
edition | cee
component | checks
level | 1
compatible | yes
If the Robotmk Scheduler encounters an error while applying the RCC configuration, then
corresponding RCC plans will be skipped. This in turn affects discovered services in Checkmk. With
this Werk the check `robotmk_scheduler_status` will go CRIT and report the error.
[//]: # (werk v2)
# Mitigate timing-unsafe comparisons to prevent byte-by-byte brute forcing attack
key | value
---------- | ---
date | 2024-06-25T10:10:15+00:00
version | 2.4.0b1
class | security
edition | cee
component | agents
level | 1
compatible | yes
A theorical brute force attack could be performed due to timing-unsafe secrets comparison.
This fix changes the way secrets are verified in communication with the agent.
To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).
[//]: # (werk v2)
# Add 'Export this connection for API' to dcd connections
key | value
---------- | ---
date | 2024-06-24T13:33:16+00:00
version | 2.4.0b1
class | feature
edition | cee
component | multisite
level | 1
compatible | yes
For other rules we have such exporters. If a rule is configured then the rule
representation can be displayed via the blue arrow in action buttons.