back to website

Werk #17100: Fix use of empty session secret

Component Setup
Title Fix use of empty session secret
Date May 8, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p1 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p32 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p42 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previously, Checkmk sites created with version 2.2.0 and later were initialized with an empty session secret (etc/auth.secret) and Checkmk would use empty secrets to sign session cookies. As a consequence, obtaining a users active session ID would be sufficient for an attacker in order to take over that session.

With this Werk Checkmk will no longer allow empty secrets. Existing empty secrets will be replaced. Note that this will cause all current session cookies to be invalidated.

We are not aware of any way to leak session IDs and thus exploit this issue. Therefore, we do not assign a CVE and we assign CVSS score of 0.0 None (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N).

To the list of all Werks