[//]: # (werk v2)
# Persist known host keys for checks that use SSH
key | value
---------- | ---
date | 2024-08-26T08:56:04+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
When using the special agent *VNX quotas and filesystems* or the active check *Check SFTP Service* the host keys were not properly checked.
If an attacker would get into a machine-in-the-middle position he could intercept the connection and retrieve information e.g. passwords.
As of this Werk the host key check is properly done.
In order to store known host keys a regular `known_hosts` file is used that is stored in `/omd/sites/$SITENAME/.ssh/known_hosts`.
If a host key changes an error is now raised that requires manual edit of this file.
This issue was found during internal review.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 6.3 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N and assigned CVE-2024-6572.
[//]: # (werk v2)
# Fix XSS in view page with SLA column
key | value
---------- | ---
date | 2024-08-15T12:15:13+00:00
version | 2.4.0b1
class | security
edition | cee
component | wato
level | 1
compatible | yes
Prior to this werk, the SLA (Service Level Agreement) titles were being rendered as HTML in the view page without proper escaping, leading to a potential XSS vulnerability.
**Affected Versions**:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
**Indicators of Compromise**:
Cloning the view page of untrusted users who have injected HTML into the SLA titles.
**Vulnerability Management**:
We have rated the issue with a CVSS score of 4.8 (medium) with the following CVSS vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`, and assigned `CVE-2024-38859`.
Werk 16615 was adapted. The following is the new Werk, a diff is shown at the end of the message.
[//]: # (werk v2)
# Remove websphere_mq plugin
key | value
---------- | ---
date | 2024-03-11T11:09:48+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | no
With this Werk the `websphere_mq` plugin is removed for security reasons.
In this plugin the output of `ps` is used to determine an argument for
`runmqsc`. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to `runmqsc`.
The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
*agent bakery* we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
__Affected versions__:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
__Mitigations__:
Migrate to the `ibm_mq` plugin.
__Vulnerability Management__:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`.
We assigned CVE-2024-3367 to this vulnerability.
__Changes__:
The plugin was removed.
------------------------------------<diff>-------------------------------------------
[//]: # (werk v2)
# Remove websphere_mq plugin
key | value
---------- | ---
date | 2024-03-11T11:09:48+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
- compatible | yes
? ^^^
+ compatible | no
? ^^
With this Werk the `websphere_mq` plugin is removed for security reasons.
In this plugin the output of `ps` is used to determine an argument for
`runmqsc`. This meant that anybody who can launch processes with an arbitrary
command line could manipulate one argument to `runmqsc`.
The plugin was already superseded by the agent plugin `ibm_mq` and deprecated with Werk [10752](https://checkmk.com/werk/10752) and version 2.0.0.
Since this plugin is already deprecated and it was not configurable via the
*agent bakery* we assumed that this plugin is not frequently used. Therefore we
decided to not fix the issue but to push the removal.
We found this vulnerability internally.
__Affected versions__:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0
__Mitigations__:
Migrate to the `ibm_mq` plugin.
__Vulnerability Management__:
We have rated the issue with a CVSS Score of 6.5 (Medium) with the following CVSS vector: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N`.
We assigned CVE-2024-3367 to this vulnerability.
__Changes__:
The plugin was removed.
[//]: # (werk v2)
# Don't show automation secret in the audit log (addresses CVE-2024-28830)
key | value
---------- | ---
date | 2024-06-19T12:10:00+00:00
version | 2.4.0b1
class | security
edition | cre
component | wato
level | 2
compatible | no
By default only admin users are able to see the audit log. Guests and normal
monitoring users do not have acces to the audit log.
Werk #13330 already fixed a problem where passwords were shown in the audit log.
This werk now addresses the problem, that still automation secrets of
automation user were logged in clear text to the audit log, e.g. on change of
the automation secret via REST-API or the user interface.
Existing automation secrets in the audit log should be removed automatically
during the update but please double check that no automation secrets remain in
the log (see next paragraph for details).
A backup of the original audit log (before automation secrets were removed) is
copied to "~/var/check_mk/wato/log/sanitize_backup". If anything goes wrong
during the update, you have to copy the files back to ~var/check_mk/wato/log
and remove the automation secrets manually. If the update works as expected,
you can remove the backup files.
In distributed setups which do not replicate the configuration, automation
secrets are replaced during the update of each site.
In setups which replicate the configuration from central to remote sites no
automation secrets should be present in the logs of the remote site, since only
information about the activation is logged. Only if you switched to a
replicated setup after the upgrade to the 2.0, automation secrets can be
present in the logs. Since automation secrets may be in this scenario as well,
the steps described before also apply.
*Affected Versions*:
* 2.3.0
* 2.2.0
* 2.1.0
* 2.0.0 (EOL)
*Mitigations*:
Remove automation secrets manually within the files located in
~var/check_mk/wato/log.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of <2.7 (Low)> with the following
CVSS vector: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N` and assigned CVE
`CVE-2024-28830`.
[//]: # (werk v2)
# mk_informix: Follow up for Werk 16198
key | value
---------- | ---
date | 2024-07-26T07:18:38+00:00
version | 2.4.0b1
class | security
edition | cre
component | checks
level | 1
compatible | yes
[Werk #16198](https://checkmk.com/werk/16198) addressed potential priviledge escalation by the agent plugin `mk_informix`.
However, a few callsites to the binaries `dbaccess` and `onstat` where missing the safe execution.
Those binaries are now also called in a safe way.
<em>Vulnerability Management</em>:
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: <code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H</code> and assigned CVE <code>CVE-2024-28829</code>.
Werk 13900 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Update Pillow and Paramiko
Class: security
Compatible: compat
Component: core
Date: 1650872232
Edition: cre
Knowledge: doc
Level: 1
State: unknown
Version: 2.1.0b6
This updates paramiko to 2.3.10 and Pillow to 9.1.0. These new versions include fixes for these CVEs:
LI: CVE-2022-24302
LI: CVE-2022-22817
LI: CVE-2022-22816
LI: CVE-2022-22815
LI: CVE-2022-24303
------------------------------------<diff>-------------------------------------------
Title: Update Pillow and Paramiko
Class: security
Compatible: compat
Component: core
Date: 1650872232
Edition: cre
Knowledge: doc
Level: 1
State: unknown
- Version: 2.1.0b7
? ^
+ Version: 2.1.0b6
? ^
This updates paramiko to 2.3.10 and Pillow to 9.1.0. These new versions include fixes for these CVEs:
LI: CVE-2022-24302
LI: CVE-2022-22817
LI: CVE-2022-22816
LI: CVE-2022-22815
LI: CVE-2022-24303
Werk 15194 was adapted. The following is the new Werk, a diff is shown at the end of the message.
Title: Fix command injection via RestAPI / Password Store
Class: security
Compatible: compat
Component: core
Date: 1690985970
Edition: cre
Knowledge: doc
Level: 1
State: unknown
Version: 2.2.0p8
Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.
This issue was found during internal code review.
<b>Affected Versions</b>:
LI: 2.0.0
LI: 2.1.0
LI: 2.2.0 prior to version 2.2.0p4
Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.
<b>Indicators of Compromise</b>:
Check the password store for passwords with unusual identifiers, review add-password events in the audit log.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>.
We have assigned CVE <tt>CVE-2023-31209</tt>.
<b>Changes</b>:
This Werk adds proper sanitization of the affected parameter on core commands.
------------------------------------<diff>-------------------------------------------
Title: Fix command injection via RestAPI / Password Store
Class: security
Compatible: compat
Component: core
Date: 1690985970
Edition: cre
Knowledge: doc
Level: 1
State: unknown
- Version: 2.2.0p4
? ^
+ Version: 2.2.0p8
? ^
Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.
This issue was found during internal code review.
<b>Affected Versions</b>:
LI: 2.0.0
LI: 2.1.0
LI: 2.2.0 prior to version 2.2.0p4
Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.
<b>Indicators of Compromise</b>:
Check the password store for passwords with unusual identifiers, review add-password events in the audit log.
<b>Vulnerability Management</b>:
We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector:
<tt>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</tt>.
We have assigned CVE <tt>CVE-2023-31209</tt>.
<b>Changes</b>:
This Werk adds proper sanitization of the affected parameter on core commands.
-