ID: 14871
Title: Windows agent's ProgramData directory is accessible only with admins permissions
Component: Checks & agents
Level: 2
Class: Security fix
Version: 2.2.0i1
Previous to this Werk every authenticated Windows user could read some sensitive data
from the Windows agent working directory. To prevent issues with leaking sensitive data
we restrict the permission to read data of the Windows agent.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/…)
ID: 14298
Title: Remove Web API
Component: Setup
Level: 2
Class: New feature
Version: 2.2.0i1
With Checkmk 2.1, announced by Werk #13640, the Web API was deprecated. This
release now removes the Web API.
We recommend migrating all existing scripts that use the Web API to the REST
API.
ID: 14872
Title: mk_logwatch plugins correctly reports changes on Windows
Component: Checks & agents
Level: 2
Class: Bug fix
Version: 2.2.0i1
Previously, mk_logwatch plugin may wrongly report as changed
the whole content of a log file. The source of the problem was
an unstable file identification algorithm on Windows.
With this release logwatch plugin on Windows always correctly
deteremines changed part of monitored file.
ID: 14916
Title: Do not log host secret
Component: agents
Level: 3
Class: Security fix
Version: 2.2.0i1
When using the <i>Agent updater</i> the Checkmk server needs a secret in order to allow the agent to download new agents.
For security reasons this secret is unique for each host and generated with the <tt>cmk-update-agent register</tt> command.
Unfortunately the generated host secret was written to the cmk-update-agent.log.
This logfile is not protected and usually world-readable.
With this secret one can download the current agent from the Checkmk server.
Included in that agent package are the plugin configs which can contain other secrets. (e.g. database credentials)
Mitigations without updateing:
LI: Reregister the agent-updater. Then sanitize the cmk-update-agent.log files.
LI: If you cannot rule out that any unauthorized user read <tt>/var/lib/check_mk_agent/cmk-update-agent.log</tt> respectively <tt>C:\ProgramData\checkmk\agent\log\cmk-update-agent.log</tt> you should rotate all secrets that might be or were included in the agent configurations.
Steps needed with the update:
LI: Update your agent.
LI: Reregister the agent-updater.
All versions including 1.5 are subject to this vulnerability.
We found this vulnerability internally and have no indication of any exploitation.
We calculated a CVSS 3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
ID: 14683
Title: Fixed livedump for Python 3
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
The livedump tool generated invalid configurations and states when used with
Python 3, effectively rendering the tool unusable. This has been fixed.
ID: 14534
Title: Add unit conversion support for graphs
Component: metrics
Level: 2
Class: New feature
Version: 2.2.0i1
This werk adds the support for converting the displayed unit of a metric
in a graph.
Currently we only support conversion of degrees from Celsius to
Fahrenheit or Kelvin but this can be extended in the future.
To convert a unit you can use the <i>Convert unit to<i> option in
<i>Graph Tunings<i>.
ID: 14869
Title: Fix regression in mk_logwatch plugin in Windows
Component: Checks & agents
Level: 2
Class: Bug fix
Version: 2.2.0i1
Until now mk_logwatch plugin could not create a directory for batch
files because the directory name as a rule contained a colon and the
colon is a forbidden symbol in NTFS. Due to this bug the logwatch
monitoring was impossible.
With this version mk_logwatch plugin replaces the colon in directory
name with an underscore thus fixing the regression.
SUP-11644
ID: 14866
Title: Windows powershell plugins generate Utf-8 output by default
Component: Checks & agents
Level: 2
Class: New feature
Version: 2.2.0i1
Since this release, the output of all Windows powershell plugins
is configured as Utf-8 thus eliminating any problems with non-ASCII
symbols in the output.
ID: 14606
Title: Agent Bakery: Optionally log to dedicated logfile
Component: Setup
Level: 2
Class: New feature
Version: 2.2.0i1
It's now possible to activate logging for the agent bakery.
When activated at <i>Global Settings - Setup - Agent bakery logging</t>,
the agent bakery will log messages to <tt>~/var/log/agent_bakery.log</tt>,
with the selected loglevel. This is applies equally to bakery jobs invoked via GUI
via command line.
Without activated logging, baking details are still available on the command line
when baking with command <tt>cmk --bake-agents -v</tt> as a site user.
Also, when baking on the GUI, on failure, error details are propagated to the executing
background job as they already used to be.
ID: 14285
Title: Fix frozen Microcore (Livestatus not responding) during config reloads
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
The reload of the Microcore core and it's helper processed could freeze when
the core had notifications pending during reload. This was caused by a deadlock
between the Notification helper and the Microcore. The Microcore was still
alive but waiting to the notification helper to terminate while the
notification helper waited for the Microcore.
>From the user perspective this resulted in Livestatus not being responsive
while the cmc.log showed a message like: <tt>still X unsent events, sending
them now</tt>.