Werk 17056 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Don't show automation secret in the audit log (addresses CVE-2024-28830)
key | value
---------- | ---
date | 2024-06-19T12:10:00+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 2
compatible | no
By default only admin users are able to see the audit log. Guests and normal
monitoring users do not have acces to the audit log.
Werk #13330 already fixed a problem where passwords were shown in the audit log.
This werk now addresses the problem, that still automation secrets of
automation user were logged in clear text to the audit log, e.g. on change of
the automation secret via REST-API or the user interface.
Existing automation secrets in the audit log should be removed automatically
during the update but please double check that no automation secrets remain in
the log (see next paragraph for details).
A backup of the original audit log (before automation secrets were removed) is
copied to "~/audit_log_backup". If anything goes wrong
during the update, you have to copy the files back to ~var/check_mk/wato/log
and remove the automation secrets manually. If the update works as expected,
you can remove the backup files.
In distributed setups which do not replicate the configuration, automation
secrets are replaced during the update of each site.
In setups which replicate the configuration from central to remote sites no
automation secrets should be present in the logs of the remote site, since only
information about the activation is logged. Only if you switched to a
replicated setup after the upgrade to the 2.0, automation secrets can be
present in the logs. Since automation secrets may be in this scenario as well,
the steps described before also apply.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Mitigations*:
Remove automation secrets manually within the files located in
~var/check_mk/wato/log.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of <2.7 (Low)> with the following
CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE
`CVE-2024-28830`.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Don't show automation secret in the audit log (addresses CVE-2024-28830)
key | value
---------- | ---
date | 2024-06-19T12:10:00+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 2
compatible | no
By default only admin users are able to see the audit log. Guests and normal
monitoring users do not have acces to the audit log.
Werk #13330 already fixed a problem where passwords were shown in the audit log.
This werk now addresses the problem, that still automation secrets of
automation user were logged in clear text to the audit log, e.g. on change of
the automation secret via REST-API or the user interface.
Existing automation secrets in the audit log should be removed automatically
during the update but please double check that no automation secrets remain in
the log (see next paragraph for details).
A backup of the original audit log (before automation secrets were removed) is
- copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong
? - ^^^^^^^ -------- ---------
+ copied to "~/audit_log_backup". If anything goes wrong
? ^^^^
during the update, you have to copy the files back to ~var/check_mk/wato/log
and remove the automation secrets manually. If the update works as expected,
you can remove the backup files.
In distributed setups which do not replicate the configuration, automation
secrets are replaced during the update of each site.
In setups which replicate the configuration from central to remote sites no
automation secrets should be present in the logs of the remote site, since only
information about the activation is logged. Only if you switched to a
replicated setup after the upgrade to the 2.0, automation secrets can be
present in the logs. Since automation secrets may be in this scenario as well,
the steps described before also apply.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Mitigations*:
Remove automation secrets manually within the files located in
~var/check_mk/wato/log.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of <2.7 (Low)> with the following
CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE
`CVE-2024-28830`.
Title: Don't show automation secret in the audit log (addresses CVE-2024-28830)
Class: security
Compatible: incomp
Component: wato
Date: 1718799000
Edition: cre
Level: 2
Version: 2.2.0p28
By default only admin users are able to see the audit log. Guests and normal
monitoring users do not have acces to the audit log.
Werk #13330 already fixed a problem where passwords were shown in the audit log.
This werk now addresses the problem, that still automation secrets of
automation user were logged in clear text to the audit log, e.g. on change of
the automation secret via REST-API or the user interface.
Existing automation secrets in the audit log should be removed automatically
during the update but please double check that no automation secrets remain in
the log (see next paragraph for details).
A backup of the original audit log (before automation secrets were removed) is
copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong
during the update, you have to copy the files back to ~var/check_mk/wato/log
and remove the automation secrets manually. If the update works as expected,
you can remove the backup files.
In distributed setups which do not replicate the configuration, automation
secrets are replaced during the update of each site.
In setups which replicate the configuration from central to remote sites no
automation secrets should be present in the logs of the remote site, since only
information about the activation is logged. Only if you switched to a
replicated setup after the upgrade to the 2.0, automation secrets can be
present in the logs. Since automation secrets may be in this scenario as well,
the steps described before also apply.
<em>Affected Versions</em>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<em>Mitigations</em>:
Remove automation secrets manually within the files located in
~var/check_mk/wato/log.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of <2.7 (Low)> with the following
CVSS vector: <code>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code> and assigned CVE
<code>CVE-2024-28830</code>.
[//]: # (werk v2)
# Don't show automation secret in the audit log (addresses CVE-2024-28830)
key | value
---------- | ---
date | 2024-06-19T12:10:00+00:00
version | 2.3.0p7
class | security
edition | cre
component | wato
level | 2
compatible | no
By default only admin users are able to see the audit log. Guests and normal
monitoring users do not have acces to the audit log.
Werk #13330 already fixed a problem where passwords were shown in the audit log.
This werk now addresses the problem, that still automation secrets of
automation user were logged in clear text to the audit log, e.g. on change of
the automation secret via REST-API or the user interface.
Existing automation secrets in the audit log should be removed automatically
during the update but please double check that no automation secrets remain in
the log (see next paragraph for details).
A backup of the original audit log (before automation secrets were removed) is
copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong
during the update, you have to copy the files back to ~var/check_mk/wato/log
and remove the automation secrets manually. If the update works as expected,
you can remove the backup files.
In distributed setups which do not replicate the configuration, automation
secrets are replaced during the update of each site.
In setups which replicate the configuration from central to remote sites no
automation secrets should be present in the logs of the remote site, since only
information about the activation is logged. Only if you switched to a
replicated setup after the upgrade to the 2.0, automation secrets can be
present in the logs. Since automation secrets may be in this scenario as well,
the steps described before also apply.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Mitigations*:
Remove automation secrets manually within the files located in
~var/check_mk/wato/log.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of <2.7 (Low)> with the following
CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE
`CVE-2024-28830`.
Title: mknotifyd: use site names in service description
Class: fix
Compatible: incomp
Component: checks
Date: 1716821823
Edition: cre
Level: 2
Version: 2.2.0p28
This update affects users monitoring the <em>OMD Notify Connection</em> services, regardless of whether the connection is encrypted.
Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1.
To resolve this issue, we have updated the service naming.
Now, the names of the involved sites will be shown in the format: <em>OMD MySite Notification Spooler connection to MyRemoteSite</em>.
Impact:
LI: Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual.
LI: Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible
LI: To maintain service history, users can create a service description translation rule. This can be done in the configuration at: <em>Setup</em> > <em>Agents</em> > <em>Access to agents</em> > <em>Translation of service descriptions</em>. Use a regex or static string to map the old service names to the new ones.
[//]: # (werk v2)
# mknotifyd: use site names in service description
key | value
---------- | ---
date | 2024-05-27T14:57:03+00:00
version | 2.3.0p7
class | fix
edition | cre
component | checks
level | 2
compatible | no
This update affects users monitoring the _OMD Notify Connection_ services, regardless of whether the connection is encrypted.
Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1.
To resolve this issue, we have updated the service naming.
Now, the names of the involved sites will be shown in the format: _OMD MySite Notification Spooler connection to MyRemoteSite_.
Impact:
- Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual.
- Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible
- To maintain service history, users can create a service description translation rule. This can be done in the configuration at: _Setup_ > _Agents_ > _Access to agents_ > _Translation of service descriptions_. Use a regex or static string to map the old service names to the new ones.
[//]: # (werk v2)
# mknotifyd: use site names in service description
key | value
---------- | ---
date | 2024-05-27T14:57:03+00:00
version | 2.4.0b1
class | fix
edition | cre
component | checks
level | 2
compatible | no
This update affects users monitoring the _OMD Notify Connection_ services, regardless of whether the connection is encrypted.
Previously it was not possible to correctly monitor the Notification Spooler connection with TLS. For encrypted incoming connections, the IP address and port were unavailable because managed by stunnel using Unix sockets. Consequently, services for encrypted connections were named incorrectly and always displayed the IP address as 127.0.0.1.
To resolve this issue, we have updated the service naming.
Now, the names of the involved sites will be shown in the format: _OMD MySite Notification Spooler connection to MyRemoteSite_.
Impact:
- Currently monitored services (e.g., those configured with unencrypted connections) will continue to work as usual.
- Upon rediscovery, new services will be discovered and will adopt the new naming convention. For this reason, this werk is flagged as incompatible
- To maintain service history, users can create a service description translation rule. This can be done in the configuration at: _Setup_ > _Agents_ > _Access to agents_ > _Translation of service descriptions_. Use a regex or static string to map the old service names to the new ones.
[//]: # (werk v2)
# NetApp via WebAPI: remove deprecated agent and plugin
key | value
---------- | ---
date | 2024-06-07T08:39:33+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 2
compatible | no
This werk impacts users who monitor a NetApp environment with the deprecated special agent "NetApp via WebAPI" (agent_netapp).
As of Checkmk version 2.4.0, the agent "NetApp via WebAPI" and its associated checks and inventory plugins have been removed.
Please configure the new special agent using the "NetApp via Ontap REST API" ruleset and perform a re-discovery.
The following plugins are no longer available:
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_aggr_)
- NetApp Ontap Filer: 7Mode Cluster Status (_netapp_api_cluster_)
- NetApp API Connection (_netapp_api_connection_)
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_cpu_)
- NetApp Clustermode Filer: NVRAM Battery (_netapp_api_cpu_nvram_bat_)
- NetApp Filer: 7Mode Global CPU Utilization (_netapp_api_cpu_utilization_)
- NetApp Filer: Disk (_Summarynetapp_api_disk_summary_)
- NetApp Filer Clustermode: PSU Fault Info (_netapp_api_environment_)
- NetApp Filer Clustermode: System Electrical Current (_netapp_api_environment_current_)
- NetApp Filer Clustermode: Fan Fault Info (_netapp_api_environment_fan_faults_)
- NetApp Filer Clustermode: System Fan Speed (_netapp_api_environment_fans_)
- NetApp Filer Clustermode: System Temperature (_netapp_api_environment_temperature_)
- NetApp Filer Clustermode: System Electrical Voltage (_netapp_api_environment_voltage_)
- NetApp Filer: FANs (_netapp_api_fan_)
- NetApp Filer: FANs Summary (_netapp_api_fan_summary_)
- NetApp Cluster-Mode: State of Fibrechannel Interfaces (_netapp_api_fcp_)
- NetApp Filer: State of Network Interfaces (_netapp_api_if_)
- NetApp Filer: Version Info (_netapp_api_info_)
- NetApp Filer: Used Space of LUNs (_netapp_api_luns_)
- NetApp Filer: Ports (_netapp_api_ports_)
- NetApp Filer 7Mode: Protocols (_netapp_api_protocol_)
- NetApp Filer: Power Supplies (_netapp_api_psu_)
- NetApp Filer: Power Supplies Summary (_netapp_api_psu_summary_)
- NetApp Filer: Used Space of qtrees in Volumes (_netapp_api_qtree_quota_)
- NetApp Filer: Used Space in Snapshots of Volumes (_netapp_api_snapshots_)
- NetApp Filer: Snapvault/Snapmirror Lag-time (_netapp_api_snapvault_)
- NetApp Filer: Overall System Health (_netapp_api_status_)
- NetApp Filer: Systemtime (_netapp_api_systemtime_)
- NetApp Filer: Temperature Sensors (_netapp_api_temp_)
- NetApp Filer 7Mode: vFiler CPU Utilization (_netapp_api_vf_stats_)
- NetApp Filer: vFiler Traffic (_netapp_api_vf_stats_traffic_)
- NetApp Filer: vFiler Status (_netapp_api_vf_status_)
- NetApp Filer: Used Space and Traffic of Volumes (_netapp_api_volumes_)
- NetApp Filer: vServer Status (_netapp_api_vs_status_)
- NetApp Filer: vServer Traffic Summary (_netapp_api_vs_traffic_)
Werk 16767 was deleted. The following Werk is no longer relevant.
[//]: # (werk v2)
# NetApp via WebAPI: remove deprecated agent and plugin
key | value
---------- | ---
date | 2024-06-07T08:39:33+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 2
compatible | no
This werk impacts users who monitor a NetApp environment with the deprecated special agent "NetApp via WebAPI" (agent_netapp).
As of Checkmk version 2.4.0, the agent "NetApp via WebAPI" and its associated checks and inventory plugins have been removed.
Please configure the new special agent using the "NetApp via Ontap REST API" ruleset and perform a re-discovery.
The following plugins are no longer available:
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_aggr_)
- NetApp Ontap Filer: 7Mode Cluster Status (_netapp_api_cluster_)
- NetApp API Connection (_netapp_api_connection_)
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_cpu_)
- NetApp Clustermode Filer: NVRAM Battery (_netapp_api_cpu_nvram_bat_)
- NetApp Filer: 7Mode Global CPU Utilization (_netapp_api_cpu_utilization_)
- NetApp Filer: Disk (_Summarynetapp_api_disk_summary_)
- NetApp Filer Clustermode: PSU Fault Info (_netapp_api_environment_)
- NetApp Filer Clustermode: System Electrical Current (_netapp_api_environment_current_)
- NetApp Filer Clustermode: Fan Fault Info (_netapp_api_environment_fan_faults_)
- NetApp Filer Clustermode: System Fan Speed (_netapp_api_environment_fans_)
- NetApp Filer Clustermode: System Temperature (_netapp_api_environment_temperature_)
- NetApp Filer Clustermode: System Electrical Voltage (_netapp_api_environment_voltage_)
- NetApp Filer: FANs (_netapp_api_fan_)
- NetApp Filer: FANs Summary (_netapp_api_fan_summary_)
- NetApp Cluster-Mode: State of Fibrechannel Interfaces (_netapp_api_fcp_)
- NetApp Filer: State of Network Interfaces (_netapp_api_if_)
- NetApp Filer: Version Info (_netapp_api_info_)
- NetApp Filer: Used Space of LUNs (_netapp_api_luns_)
- NetApp Filer: Ports (_netapp_api_ports_)
- NetApp Filer 7Mode: Protocols (_netapp_api_protocol_)
- NetApp Filer: Power Supplies (_netapp_api_psu_)
- NetApp Filer: Power Supplies Summary (_netapp_api_psu_summary_)
- NetApp Filer: Used Space of qtrees in Volumes (_netapp_api_qtree_quota_)
- NetApp Filer: Used Space in Snapshots of Volumes (_netapp_api_snapshots_)
- NetApp Filer: Snapvault/Snapmirror Lag-time (_netapp_api_snapvault_)
- NetApp Filer: Overall System Health (_netapp_api_status_)
- NetApp Filer: Systemtime (_netapp_api_systemtime_)
- NetApp Filer: Temperature Sensors (_netapp_api_temp_)
- NetApp Filer 7Mode: vFiler CPU Utilization (_netapp_api_vf_stats_)
- NetApp Filer: vFiler Traffic (_netapp_api_vf_stats_traffic_)
- NetApp Filer: vFiler Status (_netapp_api_vf_status_)
- NetApp Filer: Used Space and Traffic of Volumes (_netapp_api_volumes_)
- NetApp Filer: vServer Status (_netapp_api_vs_status_)
- NetApp Filer: vServer Traffic Summary (_netapp_api_vs_traffic_)
[//]: # (werk v2)
# NetApp via WebAPI: remove deprecated agent and plugin
key | value
---------- | ---
date | 2024-06-07T08:39:33+00:00
version | 2.4.0b1
class | feature
edition | cre
component | checks
level | 2
compatible | no
This werk impacts users who monitor a NetApp environment with the deprecated special agent "NetApp via WebAPI" (agent_netapp).
As of Checkmk version 2.4.0, the agent "NetApp via WebAPI" and its associated checks and inventory plugins have been removed.
Please configure the new special agent using the "NetApp via Ontap REST API" ruleset and perform a re-discovery.
The following plugins are no longer available:
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_aggr_)
- NetApp Ontap Filer: 7Mode Cluster Status (_netapp_api_cluster_)
- NetApp API Connection (_netapp_api_connection_)
- NetApp Filer: Cluster-Mode CPU Utilization (_netapp_api_cpu_)
- NetApp Clustermode Filer: NVRAM Battery (_netapp_api_cpu_nvram_bat_)
- NetApp Filer: 7Mode Global CPU Utilization (_netapp_api_cpu_utilization_)
- NetApp Filer: Disk (_Summarynetapp_api_disk_summary_)
- NetApp Filer Clustermode: PSU Fault Info (_netapp_api_environment_)
- NetApp Filer Clustermode: System Electrical Current (_netapp_api_environment_current_)
- NetApp Filer Clustermode: Fan Fault Info (_netapp_api_environment_fan_faults_)
- NetApp Filer Clustermode: System Fan Speed (_netapp_api_environment_fans_)
- NetApp Filer Clustermode: System Temperature (_netapp_api_environment_temperature_)
- NetApp Filer Clustermode: System Electrical Voltage (_netapp_api_environment_voltage_)
- NetApp Filer: FANs (_netapp_api_fan_)
- NetApp Filer: FANs Summary (_netapp_api_fan_summary_)
- NetApp Cluster-Mode: State of Fibrechannel Interfaces (_netapp_api_fcp_)
- NetApp Filer: State of Network Interfaces (_netapp_api_if_)
- NetApp Filer: Version Info (_netapp_api_info_)
- NetApp Filer: Used Space of LUNs (_netapp_api_luns_)
- NetApp Filer: Ports (_netapp_api_ports_)
- NetApp Filer 7Mode: Protocols (_netapp_api_protocol_)
- NetApp Filer: Power Supplies (_netapp_api_psu_)
- NetApp Filer: Power Supplies Summary (_netapp_api_psu_summary_)
- NetApp Filer: Used Space of qtrees in Volumes (_netapp_api_qtree_quota_)
- NetApp Filer: Used Space in Snapshots of Volumes (_netapp_api_snapshots_)
- NetApp Filer: Snapvault/Snapmirror Lag-time (_netapp_api_snapvault_)
- NetApp Filer: Overall System Health (_netapp_api_status_)
- NetApp Filer: Systemtime (_netapp_api_systemtime_)
- NetApp Filer: Temperature Sensors (_netapp_api_temp_)
- NetApp Filer 7Mode: vFiler CPU Utilization (_netapp_api_vf_stats_)
- NetApp Filer: vFiler Traffic (_netapp_api_vf_stats_traffic_)
- NetApp Filer: vFiler Status (_netapp_api_vf_status_)
- NetApp Filer: Used Space and Traffic of Volumes (_netapp_api_volumes_)
- NetApp Filer: vServer Status (_netapp_api_vs_status_)
- NetApp Filer: vServer Traffic Summary (_netapp_api_vs_traffic_)