ID: 14580
Title: DCD: Piggyback hosts are now updated and deleted again
Component: Dynamic host configuration
Level: 2
Class: Bug fix
Version: 2.2.0i1
The rule <tt>Dynamic host management</tt> allows user to configure automatic creation, updating and
deleting of hosts. With werk 15206 (included in 2.1.0p20), the underlying mechanism, <tt>Dynamic
Configuration Daemon</tt> would no longer update and delete hosts.
ID: 15122
Title: New option to make customizations available to users of selected sites
Component: Multisite
Level: 2
Class: New feature
Version: 2.2.0i1
You can now make customized views, dashboards, etc. available for users on
selected sites.
Therefore new permissions like "Publish views to users of allowed sites" are
introduced and assigned to the "admin" role.
With this permission you can use the option "Make this view available for other
users" - "Publish to users of sites" on the "Edit" page of the customization.
Please note that the customizations will be available on the selected sites
after the next activation of changes for these sites.
ID: 14688
Title: Increased metric queue sizes
Component: cmc
Level: 2
Class: Bug fix
Version: 2.2.0i1
The internal queues of the CMC for communication with the RRD cache daemon,
Carbon connections, and InfluxDB connections has been increased. This can
help to reduce the "queue full, didn't push update" messages in the CMC log
and the related metric data loss. Note that this will only help when there
are load peaks or peaks in the number of produced metrics from time to time.
If the monitoring server is not powerful enough to handle the average number
of metrics per second in the long run, there will still be data loss.
ID: 15096
Title: Change session management from custom to Flask
Component: Setup
Level: 2
Class: New feature
Version: 2.2.0i1
The HTTP session management has been changed to use
the mechanics provided by the Flask project.
This Werk is in place to mark the transition.
No action on the users side is required.
ID: 15010
Title: New notification plugin for Microsoft Teams
Component: Notifications
Level: 2
Class: New feature
Version: 2.2.0i1
This werk enables Checkmk to send notifications about changes in the states of
hosts and services to Microsoft Teams.
First, you need to setup a webhook to your team or space, see
<a href="https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-conn…" target="_blank">here</a>
, which will allow Checkmk to post messages. Next, in Checkmk, under "WATO -
Notifications", create a new notification rule. Select "Microsoft Teams" as the
notification method. Copy the URL of your webhook into the Webhook-URL field.
Optionally, if you want sent messages to include hyperlinks to Checkmk, enable
the field "URL prefix for links to Checkmk".
ID: 15096
Title: Change session management from custom to Flask
Component: Setup
Level: 2
Class: New feature
Version: 2.2.0i1
The HTTP session management has been changed to use
the mechanics provided by the Flask project.
This Werk is in place to mark the transition.
No action on the users side is required.
ID: 14998
Title: Remove long deprecated flexible and plain email notifications
Component: Notifications
Level: 2
Class: New feature
Version: 2.2.0i1
This change only affects you, in case you have set the global setting "Rule
based notifications" to "Off" in your installation.
Flexible and plain email notifications are deprecated since version 1.5.
If you still use flexible or plain email notifications configured within the
user profile, this werk will remove this notification option in the
usersettings and the GUI. Affected users will be logged to
~/var/log/update.log, e.g.:
"Removed notification configuration from user: MY_USER"
All listed users will automatically be updated to use the rule based
notifications. Effectively, the HTML email notifications will be enabled for
them. If you want to use a different notification mechanic, then review the
notification rules and update them according to your needs.
You can find more about the notification configuration
<a href='https://docs.checkmk.com/latest/en/notifications.html'>here</a>.
Still existing spool files will be converted to HTML email notifications on update.
If a remote site with a version prior 2.2 has flexible or plain email
notifications enabled and uses notification forwarding, the notifications will
be coverted to HTML email notifications on the recieving site.
ID: 14686
Title: Added timeout to event console communication
Component: Livestatus
Level: 2
Class: Bug fix
Version: 2.2.0i1
An unresponsive event console could eat up Livestatus connections and even
cause a deadlock during the shutdown of the monitoring core. Now there is
timeout of 10s, after that you get a timeout error for the Livestatus
query or action.
ID: 14919
Title: Do not log host secret (2)
Component: agents
Level: 3
Class: Security fix
Version: 2.2.0i1
Unfortunately Werk #14916 was insufficient.
Therefore the vulnerability still exists.
This Werk fixes the problem.
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updating:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ID: 14685
Title: Fixed real-time checks with encryption
Component: cmc
Level: 2
Class: Bug fix
Version: 2.2.0i1
Real-time check data which contains a 0-byte was not processed correctly, so
this mainly affected encrypted RTC data. This has been fixed.
Note that even normal check results were affected, but these are normally
text-only without any 0-bytes, so they worked basically all the time.