Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
Version: 2.1.0p47
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.
Title: mk_informix: Follow up for Werk 16198
Class: security
Compatible: compat
Component: checks
Date: 1721978318
Edition: cre
Level: 1
Version: 2.1.0p47
<a href="https://checkmk.com/werk/16198">Werk #16198</a> addressed potential priviledge escalation by the agent plugin <code>mk_informix</code>.
However, a few callsites to the binaries <code>dbaccess</code> and <code>onstat</code> where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
Title: Fix XSS in view page with SLA column
Class: security
Compatible: compat
Component: wato
Date: 1723724113
Edition: cee
Level: 1
Version: 2.2.0p33
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
<strong>Affected Versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0 (EOL)
<strong>Indicators of Compromise</strong>:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: <code>CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N</code>, and assigned <code>CVE-2024-38859</code>.
Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Remove websphere_mq plugin
Class: security
Compatible: incomp
Component: checks
Date: 1710155388
Edition: cre
Level: 1
Version: 2.2.0p26
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
------------------------------------<diff>-------------------------------------------
Title: Remove websphere_mq plugin
Class: security
- Compatible: compat
? --
+ Compatible: incomp
? ++
Component: checks
Date: 1710155388
Edition: cre
Level: 1
Version: 2.2.0p26
With this Werk the <code>websphere_mq</code> plugin is removed for security reasons.
In this plugin the output of <code>ps</code> is used to determine an argument for
<code>runmqsc</code>. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to <code>runmqsc</code>.
The plugin was already superseded by the agent plugin <code>ibm_mq</code> and deprecated with Werk <a href="https://checkmk.com/werk/10752">10752</a> and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
<em>agent bakery</em> we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
<strong>Affected versions</strong>:
LI: 2.3.0
LI: 2.2.0
LI: 2.1.0
LI: 2.0.0
<strong>Mitigations</strong>:
Migrate to the <code>ibm_mq</code> plugin.
<strong>Vulnerability Management</strong>:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: <code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N</code>.
We assigned CVE-2024-3367 to this vulnerability.
<strong>Changes</strong>:
The plugin was removed.
Title: mk_informix: Follow up for Werk 16198
Class: security
Compatible: compat
Component: checks
Date: 1721978318
Edition: cre
Level: 1
Version: 2.2.0p32
<a href="https://checkmk.com/werk/16198">Werk #16198</a> addressed potential priviledge escalation by the agent plugin <code>mk_informix</code>.
However, a few callsites to the binaries <code>dbaccess</code> and <code>onstat</code> where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
[//]: # (werk v2)
# Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI
key | value
---------- | ---
date | 2024-08-26T18:51:50+00:00
version | 2.3.0p14
class | security
edition | cee
component | multisite
level | 1
compatible | yes
The user interface offers the option to display the HTML logs of monitored synthetic tests. These
logs are generated on the host where the test is executed and are therefore prone to XSS attacks. A
malicious actor with access to the host could attempt to inject malicious JavaScript code into these
logs before they are transferred to the monitoring server.
As of this werk, the logs are rendered sandboxed, which prevents code injected into the logs from
accessing the surrounding Checkmk site. However, note that an attacker could still attempt to hijack
the log to eg. display a fake login page. Therefore, we additionally display a corresponding
security note when rendering the logs.
An unfortunate side effect of the sandboxing described above is that the "Expand/Collapse all"
buttons in the logs are deactivated. Users can still download the logs and inspect them outside the
Checkmk user interface, as before.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
*Mitigations*:
Avoid displaying the HTML logs in the user interface.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 2.3 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`) and assigned `CVE-2024-38858`.
[//]: # (werk v2)
# Fix XSS in view page with SLA column
key | value
---------- | ---
date | 2024-08-15T12:15:13+00:00
version | 2.3.0p14
class | security
edition | cee
component | wato
level | 1
compatible | yes
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
**Indicators of Compromise**:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
**Vulnerability Management**:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`, and assigned `CVE-2024-38859`.
Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Remove websphere_mq plugin
key | value
---------- | ---
date | 2024-03-11T11:09:48+00:00
version | 2.3.0b5
class | security
edition | cre
component | checks
level | 1
compatible | no
With this Werk the `websphere_mq` plugin is removed for security reasons.
In this plugin the output of `ps` is used to determine an argument for
`runmqsc`. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to `runmqsc`.
The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
*agent bakery* we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
__Affected versions__:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
__Mitigations__:
Migrate to the `ibm_mq` plugin.
__Vulnerability Management__:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`.
We assigned CVE-2024-3367 to this vulnerability.
__Changes__:
The plugin was removed.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Remove websphere_mq plugin
key | value
---------- | ---
date | 2024-03-11T11:09:48+00:00
version | 2.3.0b5
class | security
edition | cre
component | checks
level | 1
- compatible | yes
? ^^^
+ compatible | no
? ^^
With this Werk the `websphere_mq` plugin is removed for security reasons.
In this plugin the output of `ps` is used to determine an argument for
`runmqsc`. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to `runmqsc`.
The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
*agent bakery* we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
__Affected versions__:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
__Mitigations__:
Migrate to the `ibm_mq` plugin.
__Vulnerability Management__:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`.
We assigned CVE-2024-3367 to this vulnerability.
__Changes__:
The plugin was removed.
[//]: # (werk v2)
# mk_informix: Follow up for Werk 16198
key | value
---------- | ---
date | 2024-07-26T07:18:38+00:00
version | 2.3.0p12
class | security
edition | cre
component | checks
level | 1
compatible | yes
[Werk #16198](https://checkmk.com/werk/16198) addressed potential priviledge escalation by the agent plugin `mk_informix`.
However, a few callsites to the binaries `dbaccess` and `onstat` where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
[//]: # (werk v2)
# Synthetic Monitoring: Fix XSS vector in HTML logs displayed in UI
key | value
---------- | ---
date | 2024-08-26T18:51:50+00:00
version | 2.4.0b1
class | security
edition | cee
component | multisite
level | 1
compatible | yes
The user interface offers the option to display the HTML logs of monitored synthetic tests. These
logs are generated on the host where the test is executed and are therefore prone to XSS attacks. A
malicious actor with access to the host could attempt to inject malicious JavaScript code into these
logs before they are transferred to the monitoring server.
As of this werk, the logs are rendered sandboxed, which prevents code injected into the logs from
accessing the surrounding Checkmk site. However, note that an attacker could still attempt to hijack
the log to eg. display a fake login page. Therefore, we additionally display a corresponding
security note when rendering the logs.
An unfortunate side effect of the sandboxing described above is that the "Expand/Collapse all"
buttons in the logs are deactivated. Users can still download the logs and inspect them outside the
Checkmk user interface, as before.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
*Mitigations*:
Avoid displaying the HTML logs in the user interface.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 2.3 Low (`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`) and assigned `CVE-2024-38858`.