Werk #15195: Protect automation user secret against timing attacks

Komponente

Setup

Titel

Protect automation user secret against timing attacks

Datum

17.11.2023

Level

Kleine Änderung

Klasse

Sicherheitsfix

Kompatibilität

Kompatibel - benötigt kein manuelles Eingreifen

Checkmk versions & editions

2.3.0b1	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p15	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p37	Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now.

Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

Zur Liste aller Werks