Werk #3743: mk_jolokia: Fix possible code injection
Komponente | Checks & agents |
Titel | mk_jolokia: Fix possible code injection |
Datum | 25.08.2016 |
Checkmk Edition | Checkmk Raw (CRE) |
Checkmk-Version | 1.2.8p10 1.4.0i1 |
Level | Kleine Änderung |
Klasse | Sicherheitsfix |
Kompatibilität | Inkompatibel - Manuelle Interaktion könnte erforderlich sein |
The plugin now requires either the json or simplejson python library to work.
Python 2.6 or higher ships with json, in this case, the plugin will work just as before.
simplejson is available for Python 2.5 and higher, installation of this package is required for the plugin to work.
Older python versions are not supported, please query your Jolokia instances from another host in these cases (recommended) or continue to use the old version of the plugin. (not recommended)
In absence of the json or simplejson python libraries, the mk_jolokia plugin would previously try to parse the Jolokia response with python eval(), allowing a MITM attacker to inject arbitrary code.