9 Oct
2024
9 Oct
'24
12:53 p.m.
Werk 17095 was adapted. The following is the new Werk, a diff is shown at the end of the
message.
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or
folder's properties would log those credentials in the WATO audit log. Now,
credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on
the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to
backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines
but by null bytes.
So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is
`'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains
any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium
(`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned
`CVE-2024-38862`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Sanitize Host and Folder Credentials in Audit Log
key | value
---------- | ---
date | 2024-10-07T05:57:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 1
compatible | no
Before this Werk, adding, changing, or removing SNMP and IMPI credentials in a host or
folder's properties would log those credentials in the WATO audit log. Now,
credentials are masked before being written to the log.
The affected logs, both via the rendering functionality in WATO as well as the files on
the file system, are only accessible to authenticated users.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Recommendations*:
We have marked this Werk incompatible because we recommend taking manual action:
Consider rotating affected credentials.
If that is not feasible, consider sanitizing the log files.
Also take into account that log files containing credentials might have been written to
backups.
The affected log files can be found in `~/var/check_mk/wato/log`.
- Note that entries in the files are not separated by newlines, but by null bytes, so they
will appear as one long line.
+ Note that, before Checkmk 2.3.0p18, entries in the files were not separated by newlines
but by null bytes.
+ So they would appear as one long line.
Entries that might contain credentials are all entries where the `'action'` is
`'edit-folder'` or `'edit-host'`, and the `'diff_text'` contains
any of the following strings:
* `Attribute "snmp_community"`
* `Value of "snmp_community"`
* `Attribute "management_snmp_community"`
* `Value of "management_snmp_community"`
* `Attribute "management_ipmi_credentials"`
* `Value of "management_ipmi_credentials"`
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 5.1 Medium
(`CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned
`CVE-2024-38862`.