Werk #14485: Fix session cookie validation on RestAPI

Component REST API
Title Fix session cookie validation on RestAPI
Date Sep 2, 2022
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p11 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)
2.0.0p29 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

Before this Werk expired sessions were still valid on the RestAPI, since the RestAPI only vaildated the Cookie signature.

An attacker who was able to steal a session cookie could use that cookie on the RestAPI even after the session expired. Some actions though require access to the user session, these action fail due to the expired session. Some actions do not access the session and are therefore possible.

Affected Versions: All versions with the RestAPI are affected: 2.0, and 2.1.

Mitigations: Immediate mitigations are not available.

Indicators of Compromise: Review Apache and web.log for suspicious logs.

Vulnerability Management: We have rated the issue with a CVSS Score of 5.6 (Medium) with the following CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. We have assigned CVE-2022-48317 for this issue.

To the list of all Werks