Werk #15195: Protect automation user secret against timing attacks

Component Setup
Title Protect automation user secret against timing attacks
Date Nov 17, 2023
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.3.0b1
Not yet released
Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0b1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p15 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.1.0p37 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk MSP (CME)

This Werks improves how the secret of an automation user is validated during login. Prior to the Werk, the automation user's password was not checked in a way that is safe against (theoretical) timing attacks. This is fixed now.

Even though this Werk improves security, it does not address an exploitable vulnerability. To aid automated scanning we assign a CVSS score of 0.0 (None) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N).

To the list of all Werks