Werk #15195: Protect automation user secret against timing attacks

Component

Setup

Title

Protect automation user secret against timing attacks

Date

Nov 17, 2023

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.3.0b1	Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.2.0p15	Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT
2.1.0p37	Checkmk Community, Checkmk Pro, Checkmk Ultimate MT

This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now.

Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

To the list of all Werks