ID: 6787
Title: Notification spooler: Fixed file path traversal vulnerability
Component: Notifications
Level: 2
Class: Security fix
Version: 1.6.0i1
The notification daemon of one site connects to the notification daemon of another site
to exchange notifications between both sites.
The notification daemon was not validating the incoming data correctly which made it possible
for an attacker that has access to the notification sending site to compromise the receiving
site.
Using this vulnerability it was possible to write write files in directories that are writable
by the receiving site user. This could be used to gain access to the site.
ID: 6788
Title: Notification spooler: Fixed deserialization of arbitrary input
Component: Notifications
Level: 2
Class: Security fix
Version: 1.6.0i1
The notification daemon of one site connects to the notification daemon of
another site to exchange notifications between both sites.
The messages that are sent between the notification daemons were encoded in an
insecure format which allowed code injections between the communication
partners. This means it was possible to inject code from one notification
spooler to another.
We have now changed the message format to a secure alternative which prevents
code injections.
To be able to perform this transition without loosing notifications and
preventing subtile incompatibilities we decided to keep the new format disabled
by default for all sites created with Check_MK 1.4 and 1.5. This means your
installation will still be affected by this issue by default after updating.
However, once you have updated all your sites to at least 1.4.0p37 in case of
the 1.4.0 branch or or at least 1.5.0p7 in case of the 1.5.0 branch you can
change the main configuration option "Notification Spooler insecure messages"
to "off" and activate the new configuration. Once you have done this all
notification spoolers will use the new secure message format.
Please note that the 1.6 notification spoolers will always use the new message
format and not be compatible to the old message format of the 1.5 notification
spoolers anymore. If you plan to use 1.5 and 1.6 together during migration you
will have to ensure that you use the new message format in your 1.5 sites.
ID: 6780
Title: Fixed random alert / notify helper crashes on some platforms
Component: Core & setup
Level: 2
Class: Bug fix
Version: 1.6.0i1
The alert and notify helpers of the Microcore could crash "randomly"
after hours of operation.
The crash was visible in form of "ImportError: cannot import name" messages
in the var/log/notify.log or var/log/alert.log.
Due to another problem, which will also be fixed soon, the crash of the
helper process made the Microcore process crash.
As far as we know this happened only on Debian Jessie, CentOS/RedHat 7 and
SLES12 SP1/SP2.
CMK-1085
ID: 6779
Title: Fixed displaying unrelated livestatus data to users randomly
Component: Multisite
Level: 2
Class: Bug fix
Version: 1.6.0i1
Because subsequent requests to the GUI could use left over livestatus connections
of other users it could randomly happen that one user used the livestatus connection
of another user which could then result in wrong data shown to the user in the
GUI.
ID: 6770
Title: Showing graph metric values at mouse position now
Component: metrics
Level: 2
Class: New feature
Version: 1.6.0i1
When moving the mouse pointer on Check_MK graphs a hover popup will be shown at
the mous position that contains the date and time of the current mouse
position together with the values of the single metrics.
ID: 6628
Title: Improved timeperiod management
Component: WATO
Level: 2
Class: New feature
Version: 1.6.0i1
The timeperiod management pages have been improved ins several ways:
<ul>
<li>Timeperiods can now be cloned.</li>
<li>Configuring equal times for all weekdays is now easier. Instead of setting
the same time ranges for each weekday it is now possible to select "Same times for all week days".</li>
<li>Timeperiods listed in the excludes list are now sorted.</li>
<li>The number of time ranges per day is now flexible. The dialog starts with
a single time range. You may click on "add time range" to add more.</li>
<li>Improved validations of input values.</li>
<li>The builtin timeperiod 24X7 is now always visible. The implicit existance
of this timeperiod confused users.</li>
</ul>
ID: 6662
Title: Timespecific check parameters: Changed computation algorithm to allow more flexible configurations
Component: WATO
Level: 2
Class: New feature
Version: 1.6.0i1
Werk #4840 introduced timespecific parameters, which allowed timedependant check parameter
configuration through timeperiods. Customer feedback has shown that these configuration were
not flexible enough. Thats why we've changed the computation algorithm.
The new algorithm only affects dictionary based check parameters, tuple based check parameters remain unchanged.
H3:Ruleset example old configuration (deprecated with this werk)
<ul>
<li>Use parameters {"warn": 90} on saturday, default {"warn": 75, "crit": 80}</li>
<li>Use parameters {"warn": 85, "crit": 92"} on weekend, default {"warn": 70, "crit": 75, "bandwidth": 1000}</li>
<li>Use parameters {"check_mode": "auto"} (no timespecific rule)</li>
</ul>
The old mechanism created the following parameters
<ul>
<li>Monday till Friday: {"warn": 75, "crit": 80"}</li>
<li>Saturday: {"warn": 90}</li>
<li>Sunday: {"warn": 75, "crit": 80}</li>
</ul>
As you can see, only the parameters from the first rule were taken into account.
H3:Ruleset example new configuration
<ul>
<li>Use parameters {"warn": 90} on saturday, default {"warn": 75, "crit": 80}</li>
<li>Use parameters {"warn": 85, "crit": 92"} on weekend, default {"warn": 70, "crit": 75, "bandwidth": 1000}</li>
<li>Use parameters {"check_mode": "auto"} (no timespecific rule)</li>
</ul>
The new mechanism now creates the following parameters
<ul>
<li>Monday till Friday: {"warn": 75, "crit": 80", "check_mode": "auto"}</li>
<li>Saturday: {"warn": 90, "crit": 80, "bandwith": 1000, "check_mode": "auto"}</li>
<li>Sunday: {"warn": 85, "crit": 92, "bandwith": 1000, "check_mode": "auto"}</li>
</ul>
As you can see, only the parameters from the first rule were taken into account.
The rule evaluation now starts at the bottom rule and then progresses to the top rule.
For each rule, first of all the default parameters are applied. Afterwards the timespecific
component(s) are applied. If a single rule have more than one timespecific parameter,
these parameters are merged, too.
For example:
<ul>
<li>Use parameters {"warn": 75, "crit": 80, "check_mode": "auto"} on Saturday 10-14h, Use parameters {"special_parameter": True} on Saturday 12-14h</li>
<li>Use parameters {"warn": 85, "crit": 92"} on weekend, default {"warn": 70, "crit": 75, "bandwidth": 1000}</li>
<li>Use parameters {"check_mode": "auto"} (no timespecific rule)</li>
</ul>
Result
<ul>
<li>Saturday 11:00: {"warn": 75, "crit": 80, "bandwidth": 1000, "check_mode": "auto"}</li>
<li>Saturday 13:00: {"warn": 75, "crit": 80, "bandwidth": 1000, "check_mode": "auto", "special_parameter": True}</li>
</ul>
ID: 6659
Title: Agent Baking: Fixed bug where hosts used bakery settings from other hosts
Component: WATO
Level: 2
Class: Bug fix
Version: 1.6.0i1
The rule evaluation for bakery rules was broken for certain dictionary based rule types.
As a result HostA may have received plugin configurations for HostB.
ID: 6615
Title: Fixed unauthorized access to master control actions
Component: Multisite
Level: 2
Class: Security fix
Version: 1.6.0i1
As an authenticated guest user it was possible to gain unauthorized access to
the master control snapin actions event if it is not possible to open the
master control snapin. The vulnerability could be used to disable the complete
monitoring or trigger other actions like disabling notifications.
ID: 6617
Title: Check_MK is now available as Docker container
Component: Site Management
Level: 2
Class: New feature
Version: 1.6.0i1
Besides the traditional operating system packages we are now providing Check_MK
as Docker container image to improve the support of using Check_MK in containerized
environments.
For the moment the Docker images are published together with the other Check_MK
packages on the versions download pages for manual download.
Future releases of the Check_MK Raw Edition will be published on Docker Hub
(https://hub.docker.com/r/checkmk/check-mk-raw/). On this page you can already
find some information on how to use the images. These instructions apply to all
Check_MK Editions.
The Enterprise and Managed Services Edition containers will also be available through
a docker image repository in the future. For the moment you will have to download and
import the images manually using <tt>docker load</tt>.