Werk #16232: mk_oracle(ps1): Prevent privilege esclation to root

Component Checks & agents
Title mk_oracle(ps1): Prevent privilege esclation to root
Date Jan 17, 2024
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.1.0p41 2.2.0p24 2.3.0b4 2.4.0b1
Level Major Change
Class Security Fix
Compatibility Compatible - no manual interaction needed

The agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs were vulnerable to privilege escalation to root by the oracle user.

A malicious oracle user could replace a binary (e.g. sqlplus) with another script and put it in the corresponding directory. The script would be executed by the root user.

All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation. Affected binaries are: sqlplus, tnsping, crsctl.

Affected Versions

  • 2.3.0 (beta)
  • 2.2.0
  • 2.1.0
  • 2.0.0 (EOL) and older


If updating is not possible, disable the mk_oracle plugin.

Vulnerability Management

We have rated the issue with a CVSS score of 8.2 (High) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

We have assigned CVE-2024-0638.


All called binaries are now executed in a safe way.

To the list of all Werks