Werk #13724: Remove legacy macro expansion in Event Console script actions
| Komponente | Event Console |
| Titel | Remove legacy macro expansion in Event Console script actions |
| Datum | 10.03.2022 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk-Version | 2.0.0p25 2.1.0p1 2.2.0b1 |
| Level | Bedeutende Änderung |
| Klasse | Sicherheitsfix |
| Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
The Event Console is able to execute actions, e.g. shell scripts, when opening or cancelling events. Details of the events are available to the script via environment variables CMK_ as described in the user manual (https://docs.checkmk.com/latest/en/ec.html#_shell_scripts_and_emails). This mechanism will keep working as before.
However, there is a second undocumented mechanism which relies on macro expansion in the shell scripts. Previously it was possible to use macros (e.g. $HOST$) in the Event Console scripts. These were replaced before executing the script. The values of these macros can be untrusted input and lead to command injections. You are only affected by this issue, if your scripts use the macro expansion.
With this incompatible change we remove the macro expansion mechanism for security reasons. The site update mechanism tries to detect Event Console actions using these macros, disables the actions and informs you about this change. The output of an omd update for a rule being disabled would look like this:
"Script 'some_action_id' uses macros. We disable it. Please replace the macros
with proper variables before enabling it again!"
If you use the Event Console with shell script actions you should check your scripts for macros and replace them with the documented environment variable approach (Setup > Events > Event Console rule packs > Event Console configuration > Event Console configuration). You can access all macro values with environment variables (they are prefixed with CMK_).
