ID: 14411
Title: Disallow tuple ruleset format
Component: Setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
If you manage your check mk configuration only via the UI you are not affected by this change.
The old pre 1.6 tuple ruleset format in rules.mk is not allowed any longer. See werk 7352
for the new format. If a tuple rule is found checkmk will throw an exception with detailed
information how it expects the rule to look like. We do not guarantee that this information will
be included after version 2.2 .
ID: 14411
Title: Disallow tuple ruleset format
Component: Setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
If you manage your check mk configuration only via the UI you are not affected by this change.
The old pre 1.6 tuple ruleset format in rules.mk is not allowed any longer. See werk 7352
for the new format. If a tuple rule is found checkmk will throw an exception with detailed
information how it expects the rule to look like. We do not guarantee that this information will
be included after version 2.2 .
ID: 13890
Title: Resurrect magic column name prefixing for cached state history table
Component: Livestatus
Level: 2
Class: Bug fix
Version: 2.2.0i1
There was a regression in 2.1 which broke the magic prefixing of column
names for the statehist table with "current_". This in turn broke various
availability-related things in the GUI which relied on that hack.
ID: 13889
Title: Fixed unit/description translation of SNMP traps
Component: Event Console
Level: 2
Class: Bug fix
Version: 2.2.0i1
Due to a regression in 2.1, the translation of units and descriptions of
SNMP traps was broken, this has been fixed.
ID: 13888
Title: Handle comments/downtimes for vanished hosts/services
Component: cmc
Level: 2
Class: Bug fix
Version: 2.2.0i1
There was a regression compared to 2.0 when loading the CMC state:
Comments/downtimes for vanished hosts/services resulted in a CMC crash.
This has been fixed, such comments/downtimes are now silently ignored, as
before.
ID: 13926
Title: validation of error responses of the REST API
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
This werk changes the default error schema to be in line with
the until now returned responses.
The schema and responses did not fit and it was not found because
the responses were not checked automatically. This is now the case.
To ensure that dynamic scripts will not break only the schema has
been changed. Users of dynamic languages (Python, Bash, etc.) will not
have to change anything.
If you use a statically generated API client, you may need to re-compile
the client after this werk.
The changed fields in the schema (not the response) are:
- code -> status
- message -> detail
ID: 14349
Title: performance bug when using a cluster
Component: Core & setup
Level: 2
Class: Bug fix
Version: 2.2.0i1
Running all checks on a cluster with more than 100 services took several minutes. This has been fixed and runtime is now a few seconds.
No user interaction required.
ID: 13724
Title: Remove legacy macro expansion in Event Console script actions
Component: Event Console
Level: 2
Class: Security fix
Version: 2.2.0i1
The Event Console is able to execute actions, e.g. shell scripts, when opening
or cancelling events. Details of the events are available to the script via
environment variables <tt>CMK_</tt> as described in the user manual
(https://docs.checkmk.com/latest/en/ec.html#_shell_scripts_and_emails). This
mechanism will keep working as before.
However, there is a second undocumented mechanism which relies on macro
expansion in the shell scripts. Previously it was possible to use macros (e.g.
<tt>$HOST$</tt>) in the <i>Event Console</i> scripts. These were replaced
before executing the script. The values of these macros can be untrusted input
and lead to command injections. You are only affected by this issue, if your
scripts use the macro expansion.
With this incompatible change we remove the macro expansion mechanism for
security reasons. The site update mechanism tries to detect Event Console
actions using these macros, disables the actions and informs you about this
change. The output of an <tt>omd update</tt> for a rule being disabled would
look like this:
C+:
"Script 'some_action_id' uses macros. We disable it. Please replace the macros
with proper variables before enabling it again!"
C-:
If you use the <i>Event Console</i> with shell script actions you should check
your scripts for macros and replace them with the documented environment
variable approach (Setup > Events > Event Console rule packs > Event Console
configuration > Event Console configuration). You can access all macro values
with environment variables (they are prefixed with <tt>CMK_</tt>).
ID: 14089
Title: Checkmk agent TLS encryption and compression
Component: Checks & agents
Level: 2
Class: New feature
Version: 2.2.0i1
In Checkmk version 2.1 the monitoring data sent from the monitored host to the monitoring server is TLS encrypted and compressed by default.
This is realized by a new component on the monitored hosts:
The Checkmk agent controller <tt>cmk-agent-ctl</tt>.
The added executable is called <tt>cmk-agent-ctl</tt>.
On Linux systems, the agent controller will be run as a dedicated user <i>cmk-agent</i>, which is added during installation.
As a result the process listening on the TCP port will have limited privileges, and the agent output is not available to any other local user.
While upgraded setups will continue to work as before, in order to enable TLS encryption an additional registration step is required.
More information on the registration step, the installation and the provided commands can be found <a href="https://docs.checkmk.com/master/en/agent_linux.html">in our online documentation</a>.
ID: 14087
Title: Fix privilege escalation vulnerability
Component: Checks & agents
Level: 2
Class: Security fix
Version: 2.2.0i1
Previously to this Werk an attacker who could become a site user could replace the sites <tt>bin/unixcat</tt> by a custom executable.
The Checkmk agent would then run it as root.
With this Werk the agent now always calls one of the shipped <tt>unixcat</tt>s below <tt>/omd/versions/</tt>.
All maintained versions (>=1.6) are subject to this vulnerability. It is likely that also previous versions were vulnerable.
To check against possible exploitation make sure that the sites directory <tt>~MySite/bin</tt> points to <tt>/omd/versions/MySitesVersion/bin<tt>.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 8.2
CVE will be added here later