[//]: # (werk v2)
# Fixed association of contacts with hosts/services/contactgroups
key | value
---------- | ---
date | 2024-04-05T13:48:37+00:00
version | 2.4.0b1
class | fix
edition | cre
component | livestatus
level | 3
compatible | yes
Checkmk 2.3 beta introduced a regression regarding contacts when
then Nagios core was used: The association of contacts with hosts,
services and contact groups was incorrect. A symptom of this bug
were e.g. missing hosts or services in the GUI.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.1.0p41
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
Title: mk_oracle(ps1): Prevent privilege esclation to root
Class: security
Compatible: compat
Component: checks
Date: 1705479643
Edition: cre
Level: 3
Version: 2.2.0p24
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
LI: 2.3.0 (beta)
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
[//]: # (werk v2)
# mk_oracle(ps1): Prevent privilege esclation to root
key | value
---------- | ---
compatible | yes
version | 2.4.0b1
date | 2024-01-17T08:20:43+00:00
level | 3
class | security
component | checks
edition | cre
The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put
it in the corresponding directory. The script would be executed by the root user.
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are: sqlplus, tnsping, crsctl.
<h3>Affected Versions</h3>
* 2.3.0 (beta)
* 2.2.0
* 2.1.0
* 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the mk_oracle plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2024-0638</code>.
<h3>Changes</h3>
All called binaries are now executed in a safe way.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.1.0p38
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.2.0p18
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
<h3>Affected Versions</h3>
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL) and older
<h3>Mitigations</h3>
If updating is not possible, disable the jar_signature plugin.
<h3>Vulnerability Management</h3>
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
<code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>
We have assigned <code>CVE-2023-6740</code>.
<h3>Changes</h3>
The jarsigner binary is now executed by the oracle user.
Title: jar_signature: Prevent privilege escalation to root
Class: security
Compatible: incomp
Component: checks
Date: 1702395666
Edition: cre
Level: 3
Version: 2.3.0b1
jar_signature agent plugin (configured by the 'Signatures of certificates in JAR files' bakery rule)
was vulnerable to privilege escalation to root by the oracle user.
A malicious oracle user could replace the jarsigner binary with another script and put
it in the JAVA_HOME directory. The script would be executed by the root user.
The jarsigner is now executed by the oracle user, preventing the privilege escalation.
This werk is incompatible for users that use the jar_signature plugin. Too avoid risk, users
should deploy the new version of the plugin or disable it.
This issue was found during internal review.
### Affected Versions
* 2.2.0
* 2.1.0
* 2.0.0 (EOL) and older
### Mitigations
If updating is not possible, disable the jar_signature plugin.
### Vulnerability Management
We have rated the issue with a CVSS score of 8.8 (High) with the following CVSS vector:
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
We have assigned `CVE-2023-6740`.
### Changes
The jarsigner binary is now executed by the oracle user.
Werk 1665 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: agent_netapp: New special agent for NetApp monitoring via Web-API
Level: 3
Component: checks
Class: feature
Compatible: compat
State: unknown
Version: 1.2.7i1
Date: 1418736173
The new agent_netapp allows you to collect data from a NetApp Filer through
its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is
following soon.
H2: Agent setup
This agent does not run out of the box, because it depends on some files
from the <i>Netapp Manageability SDK</i> from NetApp. You can download it
<a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a>
In this package you will find a python API binding. The agent_netapp requires
the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into
the sites local directory <tt>~/local/lib/python</tt>.
(Our plan is to eleminate this tedious step in a future version)
Once the agent has all required files you need to create a user account
with the following permissions:
<ul>
<li>perf-object-get-instances</li>
<li>net-ifconfig-get</li>
<li>aggr-list-info</li>
<li>storage-shelf-bay-list-info</li>
<li>disk-list-info</li>
<li>vfiler-list-info</li>
<li>vfiler-get-status</li>
<li>volume-list-info</li>
<li>system-get-version</li>
<li>system-get-info</li>
<li>storage-shelf-environment-list-info</li>
<li>cf-status</li>
<li>diagnosis-status-get</li>
</ul>
Note: This list might increase in later versions
If the new agent is able to access the Web-API the following new checks
are ready to process the data:
<table>
<tr><th>Check</th><th>Description</th></tr>
<tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr>
<tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr>
<tr><td>netapp_api_cluster</td><td>Cluster status</td></tr>
<tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr>
<tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr>
<tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr>
<tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr>
<tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr>
<tr><td>netapp_api_version</td><td>Version information</td></tr>
<tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr>
<tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr>
<tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr>
<tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr>
<tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr>
<tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr>
</table>
Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.
------------------------------------<diff>-------------------------------------------
Title: agent_netapp: New special agent for NetApp monitoring via Web-API
Level: 3
Component: checks
Class: feature
Compatible: compat
State: unknown
Version: 1.2.7i1
Date: 1418736173
The new agent_netapp allows you to collect data from a NetApp Filer through
its Web-API. Right now <b>only 7-Mode</b> setups are supported, but Cluster-Mode is
following soon.
H2: Agent setup
This agent does not run out of the box, because it depends on some files
from the <i>Netapp Manageability SDK</i> from NetApp. You can download it
<a href="http://mysupport.netapp.com/NOW/cgi-bin/software/?product=NetApp+Manageabil…">here (customer/partner login required)</a>
In this package you will find a python API binding. The agent_netapp requires
the two python files (<tt>NaElement.py</tt> / <tt>NaServer.py</tt>) to be put into
the sites local directory <tt>~/local/lib/python</tt>.
(Our plan is to eleminate this tedious step in a future version)
Once the agent has all required files you need to create a user account
with the following permissions:
<ul>
<li>perf-object-get-instances</li>
<li>net-ifconfig-get</li>
<li>aggr-list-info</li>
<li>storage-shelf-bay-list-info</li>
<li>disk-list-info</li>
<li>vfiler-list-info</li>
<li>vfiler-get-status</li>
<li>volume-list-info</li>
<li>system-get-version</li>
<li>system-get-info</li>
<li>storage-shelf-environment-list-info</li>
<li>cf-status</li>
<li>diagnosis-status-get</li>
</ul>
Note: This list might increase in later versions
If the new agent is able to access the Web-API the following new checks
are ready to process the data:
<table>
<tr><th>Check</th><th>Description</th></tr>
<tr><td>netapp_api_aggr</td><td>Used space and trend of aggregations</td></tr>
<tr><td>netapp_api_volumes</td><td>Used space and trend of volumes. Able to record detailed performance data for each protocol</td></tr>
<tr><td>netapp_api_cluster</td><td>Cluster status</td></tr>
<tr><td>netapp_api_cpu</td><td>Overall CPU utilization</td></tr>
<tr><td>netapp_api_disk</td><td>Disk summary check. Includes total raw capacity and info about broken and spare disks</td></tr>
<tr><td>netapp_api_if</td><td>Interface checks (Fibrechannel not include so far)</td></tr>
<tr><td>netapp_api_protocol</td><td>Read OPS / Write OPS for each protocol (nfs, nfsv4, cifs, fcp, iscsci)</td></tr>
<tr><td>netapp_api_status</td><td>Filers Diagnosis Status (overall status)</td></tr>
<tr><td>netapp_api_version</td><td>Version information</td></tr>
<tr><td>netapp_api_vf_stats.traffic</td><td>vFiler traffic (Read/Write OPS, Net-Data Send/Recv, Read/Write Bytes)</td></tr>
<tr><td>netapp_api_vf_stats.cpu_util</td><td>vFiler CPU utilization</td></tr>
<tr><td>netapp_api_vf_status</td><td>vFiler status</td></tr>
<tr><td>netapp_api_psu</td><td>Power supplies summary which are relevant to that filer. Reports broken units</td></tr>
- <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td><tr>
+ <tr><td>netapp_api_fan</td><td>Fans summary which are relevant to that filer. Reports broken units</td></tr>
? +
<tr><td>netapp_api_temp</td><td>Temperature sensor summary for internal and ambient sensors relevant to that filer. Reports broken units</td></tr>
</table>
Note: This is the initial version of this agent. It has been tested on a handful of NetApp systems.
Title: Add cloud edition features to Managed Services Edition
Class: feature
Compatible: compat
Component: omd
Date: 1700123142
Edition: cme
Level: 3
Version: 2.3.0b1
With this werk, the Checkmk Managed Services Edition is now based on the Checkmk Cloud Edition and includes thus all features of the Checkmk Cloud Edition.
A technical overview of the new features can be found in the user manual: https://docs.checkmk.com/latest/en/cce.html
Werk 16230 was deleted. The following Werk is no longer relevant.
Title: Add cloud edition features to Managed Services Edition
Class: feature
Compatible: compat
Component: omd
Date: 1700123142
Edition: cme
Level: 3
Version: 2.3.0b1
With this werk, the Checkmk Managed Services Edition is now based on the Checkmk Cloud Edition and includes thus all features of the Checkmk Cloud Edition.
A technical overview of the new features can be found in the user manual: https://docs.checkmk.com/latest/en/cce.html