Wir nutzen Cookies, um Ihnen eine optimale Nutzung dieser Webseite zu ermöglichen. Mehr Informationen finden Sie im Datenschutzhinweis. Wir nehmen an, dass Sie damit einverstanden sind, falls Sie diese Webseite weiter besuchen.

Ihre Cookie-Einstellungen
Ihre Einstellungen wurden aktualisiert.
Damit die Änderungen wirksam werden, löschen Sie bitte Ihre Browser-Cookies und den Cache und laden dann die Seite neu.

Werk #0984: Fix code injection for logged in users via automation url

TitelFix code injection for logged in users via automation url
Datum2014-05-27 15:01:17
Checkmk EditionCheckmk Raw Edition (CRE)
Checkmk Version1.2.5i4
LevelProminent Change
KlasseSecurity Fix
KompatibilitätIncompatible - Manual interaction might be required

This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:

The check_mk applications uses insecure API calls, which allow an attacker to execute arbitrary code on the server by issuing just a single URL. The reason for this is the usage of the insecure "pickle" API call. Apparently this was modified as a security means from a former version, which used "eval"-like structures with untrusted input data. Anyhow, as the python API documentation clearly state, "pickle" should be considered unsafe as well, see: https://docs.python.org/2/library/pickle.html.

The fix replaces pickle with a module called ast. Unfortunately this module is not available on Centos/RedHat 5.X and Debian 5. On these systems WATO still uses pickle, even with this fix.

Note: This change makes the current Check_MK versions incompatible to older versions. In a mixed environment with old and new Check_MK versions or with old and newer Python versions you have to force WATO to use the old unsafe method by setting wato_legacy_eval = True in multisite.mk. This can also be done with the new global WATO setting Use unsafe legacy encoding for distributed WATO.