Title: Update PHP version in SLES15SP3 from 7 to 8
Class: fix
Compatible: incomp
Component: rpm
Date: 1701254497
Edition: cre
Level: 2
Version: 2.2.0p17
Checkmk was shipped with a dependency to PHP7 for SLES15SP3. Since PHP7 is
part of the legacy module, this Werk updates the dependency from PHP7 to PHP8.
As SLES only allows one version of PHP to be installed, the following steps
will uninstall PHP7 from the system and install the new version of Checkmk
with PHP8. Be aware that this procedure updates PHP from version 7 to 8 for the whole OS. In case you run additional PHP applications next to Checkmk, the update will also affect them.
Run the following commands to perform the update to the new Checkmk version:
* add SLES-15SP4 repo to get PHP8 with <tt>zypper addrepo https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/ sles15sp4</tt>
* install the new Checkmk version with <tt>zypper install NEW_CHECKMK.rpm</tt>
* Zypper will now complain about a conflict with several PHP packages and asks you to select a solution. There, select <tt>solution 1</tt> to confirm the deinstallation of the current Checkmk version, the PHP7 modules and to continue with the installation
* confirm the installation of the new Checkmk version and PHP8 with <tt>yes</tt>
* removing the existing Checkmk version will throw an error like `Site <SITENAME> is still using this version! Removal of <OLD_CHECKMK>(@System) failed:`, proceed by choosing <tt>ignore</tt> which creates a inconsistent state for the old Checkmk version package, which we will resolve in a later step.
* PHP7 will be removed and PHP8 gets installed
* change to the site user with <tt>omd su SITE_NAME</tt>
* stop the site with <tt>omd stop</tt>
* perform the update to the new Checkmk version with <tt>omd update</tt>, select <tt>Update</tt> at the user prompt
* in case further prompts regarding wrong permissions of BUILD files appear, choose the default value with <tt>d</tt>
* start the site again with <tt>omd start</tt>
* exit from the site user
* list all installed Checkmk version with <tt>omd versions</tt>
* finally remove the old Checkmk installation with <tt>zypper remove OLD_CHECKMK</tt>
Title: Update PHP version in SLES15SP3 from 7 to 8
Class: fix
Compatible: incomp
Component: rpm
Date: 1701254497
Edition: cre
Level: 2
Version: 2.3.0b1
Checkmk was shipped with a dependency to PHP7 for SLES15SP3. Since PHP7 is
part of the legacy module, this Werk updates the dependency from PHP7 to PHP8.
As SLES only allows one version of PHP to be installed, the following steps
will uninstall PHP7 from the system and install the new version of Checkmk
with PHP8. Be aware that this procedure updates PHP from version 7 to 8 for the whole OS. In case you run additional PHP applications next to Checkmk, the update will also affect them.
Run the following commands to perform the update to the new Checkmk version:
* add SLES-15SP4 repo to get PHP8 with <tt>zypper addrepo https://updates.suse.com/SUSE/Products/SLE-BCI/15-SP4/x86_64/product/ sles15sp4</tt>
* install the new Checkmk version with <tt>zypper install NEW_CHECKMK.rpm</tt>
* Zypper will now complain about a conflict with several PHP packages and asks you to select a solution. There, select <tt>solution 1</tt> to confirm the deinstallation of the current Checkmk version, the PHP7 modules and to continue with the installation
* confirm the installation of the new Checkmk version and PHP8 with <tt>yes</tt>
* removing the existing Checkmk version will throw an error like `Site <SITENAME> is still using this version! Removal of <OLD_CHECKMK>(@System) failed:`, proceed by choosing <tt>ignore</tt> which creates a inconsistent state for the old Checkmk version package, which we will resolve in a later step.
* PHP7 will be removed and PHP8 gets installed
* change to the site user with <tt>omd su SITE_NAME</tt>
* stop the site with <tt>omd stop</tt>
* perform the update to the new Checkmk version with <tt>omd update</tt>, select <tt>Update</tt> at the user prompt
* in case further prompts regarding wrong permissions of BUILD files appear, choose the default value with <tt>d</tt>
* start the site again with <tt>omd start</tt>
* exit from the site user
* list all installed Checkmk version with <tt>omd versions</tt>
* finally remove the old Checkmk installation with <tt>zypper remove OLD_CHECKMK</tt>
[//]: # (werk v2)
# New option to test notification rulesets
key | value
---------- | ---
date | 2024-01-11T12:12:45+00:00
version | 2.3.0b1
class | feature
edition | cre
component | notifications
level | 2
compatible | yes
Previously, you could only test your notification rulesets using the "Analyze"
option against a limited set of notifications in the backlog or with the "Fake
check result" command.
We now introduce the possibility to define a custom notification and test it
against your rulesets. The option can be found in "Setup" - "Notifications" -
"Test notifications".
In the popup, select whether you want to test on a host or a service
notification. Select the host and service (if you want to test on a service
notification) and the type of simulation. Currently supported are 'Start of
downtime" and "Status change". Optionally, you can specify a custom plugin
output.
A checkbox allows you to decide whether to test only (default) or to send a
real notification according to your notification rules.
Within the 'Advanced condition simulation' options you can set a custom
notification date and time to test period matching and the notification number.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.1.0p38
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.2.0p18
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.3.0b1
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
### Affected Versions
* 2.2.0
* 2.1.0
* 2.0.0 (EOL) and older
### Mitigations
If updating is not possible, disable the jar_signature plugin.
### Vulnerability Management
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
We have assigned `CVE-2023-6740`.
### Changes
The jarsigner binary is now executed by the oracle user.
Werk 1665 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: agent_netapp: New special agent for NetApp monitoring via Web-API
Level: 3
Component: checks
Class: feature
Compatible: compat
State: unknown
Version: 1.2.7i1
Date: 1418736173
The new agent_netapp allows you to collect data from a NetApp Filer through
its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is
following soon.
H2: Agent setup
This agent does not run out of the box, because it depends on some files
from the <i>Netapp Manageability SDK</i> from NetApp. You can download it
<a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a>
In this package you will find a python API binding. The agent_netapp requires
the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into
the sites local directory <tt>~/local/lib/python</tt>.
(Our plan is to eleminate this tedious step in a future version)
Once the agent has all required files you need to create a user account
with the following permissions:
<ul>
<li>perf-object-get-instances</li>
<li>net-ifconfig-get</li>
<li>aggr-list-info</li>
<li>storage-shelf-bay-list-info</li>
<li>disk-list-info</li>
<li>vfiler-list-info</li>
<li>vfiler-get-status</li>
<li>volume-list-info</li>
<li>system-get-version</li>
<li>system-get-info</li>
<li>storage-shelf-environment-list-info</li>
<li>cf-status</li>
<li>diagnosis-status-get</li>
</ul>
Note: This list might increase in later versions
If the new agent is able to access the Web-API the following new checks
are ready to process the data:
<table>
<tr><th>Check</th><th>Description</th></tr>
<tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr>
<tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr>
<tr><td>netapp_api_cluster</td><td>Cluster status</td></tr>
<tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr>
<tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr>
<tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr>
<tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr>
<tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr>
<tr><td>netapp_api_version</td><td>Version information</td></tr>
<tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr>
<tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr>
<tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr>
<tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr>
<tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr>
<tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr>
</table>
Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.
------------------------------------<diff>-------------------------------------------
Title: agent_netapp: New special agent for NetApp monitoring via Web-API
Level: 3
Component: checks
Class: feature
Compatible: compat
State: unknown
Version: 1.2.7i1
Date: 1418736173
The new agent_netapp allows you to collect data from a NetApp Filer through
its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is
following soon.
H2: Agent setup
This agent does not run out of the box, because it depends on some files
from the <i>Netapp Manageability SDK</i> from NetApp. You can download it
<a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a>
In this package you will find a python API binding. The agent_netapp requires
the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into
the sites local directory <tt>~/local/lib/python</tt>.
(Our plan is to eleminate this tedious step in a future version)
Once the agent has all required files you need to create a user account
with the following permissions:
<ul>
<li>perf-object-get-instances</li>
<li>net-ifconfig-get</li>
<li>aggr-list-info</li>
<li>storage-shelf-bay-list-info</li>
<li>disk-list-info</li>
<li>vfiler-list-info</li>
<li>vfiler-get-status</li>
<li>volume-list-info</li>
<li>system-get-version</li>
<li>system-get-info</li>
<li>storage-shelf-environment-list-info</li>
<li>cf-status</li>
<li>diagnosis-status-get</li>
</ul>
Note: This list might increase in later versions
If the new agent is able to access the Web-API the following new checks
are ready to process the data:
<table>
<tr><th>Check</th><th>Description</th></tr>
<tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr>
<tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr>
<tr><td>netapp_api_cluster</td><td>Cluster status</td></tr>
<tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr>
<tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr>
<tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr>
<tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr>
<tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr>
<tr><td>netapp_api_version</td><td>Version information</td></tr>
<tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr>
<tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr>
<tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr>
<tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr>
- <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td><tr>
+ <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr>
? +
<tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr>
</table>
Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.
Werk 50 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: New concept of favorite hosts and services plus matching filters and views
Level: 2
Component: multisite
Version: 1.2.3i7
Date: 1383411707
Class: feature
The new "Favorites" feature introduces a new pair of commands for hosts
and services: <i>Add to favourites</i> and <i>Remove from favourites</i>.
It allows you to manage your personal list of favourite hosts and
services. This list is saved on a per-user-base. Objects on this list are
marked with a star icon.
The favourites-list can be used for filtering. Two new predefined views
"Favourite hosts" and "Favourite services" are available for showing you
favourite objects. Also the new filters have been added to several views.
Please note, that when you make a host a favourite, the services of that host
will not automatically get favourites as well. But you easily can use the
"Service Search" view for listing all services on favorite hosts, if you
like that behaviour.
With a combination of the existing filters you can do many useful queries
like "Show me all problems on my favourite hosts in host group X".
The advantage of favourites as opposed to host- and service groups are:
<ul>
<li>No change to the monitoring configuration is neccessary and thus no restart of the core.</li>
<li>Each user can manage his indiviual list.</li>
</ul>
------------------------------------<diff>-------------------------------------------
Title: New concept of favorite hosts and services plus matching filters and views
Level: 2
Component: multisite
Version: 1.2.3i7
Date: 1383411707
Class: feature
The new "Favorites" feature introduces a new pair of commands for hosts
and services: <i>Add to favourites</i> and <i>Remove from favourites</i>.
It allows you to manage your personal list of favourite hosts and
services. This list is saved on a per-user-base. Objects on this list are
marked with a star icon.
The favourites-list can be used for filtering. Two new predefined views
"Favourite hosts" and "Favourite services" are available for showing you
favourite objects. Also the new filters have been added to several views.
Please note, that when you make a host a favourite, the services of that host
will not automatically get favourites as well. But you easily can use the
"Service Search" view for listing all services on favorite hosts, if you
like that behaviour.
With a combination of the existing filters you can do many useful queries
like "Show me all problems on my favourite hosts in host group X".
The advantage of favourites as opposed to host- and service groups are:
<ul>
<li>No change to the monitoring configuration is neccessary and thus no restart of the core.</li>
- <li>Each user can manage his indiviual list.</li>.
? -
+ <li>Each user can manage his indiviual list.</li>
</ul>
Title: Privilege escalation in Agent
Class: security
Compatible: compat
Component: checks
Date: 1701938773
Edition: cre
Level: 2
Version: 2.2.0p17
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk.
Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries.
To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent.
Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
<b>Affected Versions</b>:
* since 2.2.0p10
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31210 to this vulnerability.
<b>Changes</b>:
This Werk changes the library path from the site to the version files, which are only root-writable.
Title: Privilege escalation in Agent
Class: security
Compatible: compat
Component: checks
Date: 1701938773
Edition: cre
Level: 2
Version: 2.3.0b1
In order to monitor livestatus from running sites on a host the Checkmk agent uses unixcat that is part of Checkmk.
Since the binary is linked to libraries that are also part of Checkmk and may differ from the libraries of the operating system calling unixcat outside of the scope of a site could result to errors due to version mismatches in these libraries.
To use the correct libraries in Checkmk 2.2.0p10 a fix was introduced to add the libraries from the site to the call in the agent.
Since the lib folder within a site is writable by the site a rogue site could inject malicious libraries into the unixcat call from the agent that is executed as root leading to a privilege escalation.
We thank Jan-Philipp Litza for reporting this issue.
<b>Affected Versions</b>:
LI: since 2.2.0p10
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</tt>.
We assigned CVE-2023-31210 to this vulnerability.
<b>Changes</b>:
This Werk changes the library path from the site to the version files, which are only root-writable.