Werk #13724: Remove legacy macro expansion in Event Console script actions

Komponente Event Console
Titel Remove legacy macro expansion in Event Console script actions
Datum 10.03.2022
Checkmk-Version 2.2.0b1 2.1.0p1 2.0.0p25
Level Bedeutende Änderung
Klasse Sicherheitsfix
Kompatibilität Inkompatibel - Manuelle Interaktion könnte erforderlich sein
Affected Editions
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p25 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

The Event Console is able to execute actions, e.g. shell scripts, when opening or cancelling events. Details of the events are available to the script via environment variables CMK_ as described in the user manual (https://docs.checkmk.com/latest/en/ec.html#_shell_scripts_and_emails). This mechanism will keep working as before.

However, there is a second undocumented mechanism which relies on macro expansion in the shell scripts. Previously it was possible to use macros (e.g. $HOST$) in the Event Console scripts. These were replaced before executing the script. The values of these macros can be untrusted input and lead to command injections. You are only affected by this issue, if your scripts use the macro expansion.

With this incompatible change we remove the macro expansion mechanism for security reasons. The site update mechanism tries to detect Event Console actions using these macros, disables the actions and informs you about this change. The output of an omd update for a rule being disabled would look like this:

"Script 'some_action_id' uses macros. We disable it. Please replace the macros
with proper variables before enabling it again!"

If you use the Event Console with shell script actions you should check your scripts for macros and replace them with the documented environment variable approach (Setup > Events > Event Console rule packs > Event Console configuration > Event Console configuration). You can access all macro values with environment variables (they are prefixed with CMK_).

Zur Liste aller Werks