Werk #17455: Baking agents with encrypted real time checks and an empty password will fail

Component Setup, site management
Title Baking agents with encrypted real time checks and an empty password will fail
Date May 15, 2025
Level Trivial Change
Class Bug Fix
Compatibility Incompatible - Manual interaction might be required
Checkmk versions & editions
2.5.0b1
Not yet released
Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p3 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Prior to this fix it was possible to build an agent with encryption enabled in the UI but an empty password. This would cause the agent to send the data unencrypted, and the checkmk site to refuse the data as it expected an encryption. Now when real-time checks are enabled a password has to be set in the UI and the agent bakery will refuse to bake an agent if encryption is enabled and the secret is set. Now when real-time checks are enabled a password has to be set in the UI and the agent bakery will refuse to bake an agent if ecryption is enabled and the secret is set. During the update a default password is set.

We marked this change as incompatible, as you need to rebuild the agents and install them to get a working configuration.

This werk does not fix an exploitable vulnerability.

Vulnerability Management:

To aid automated scanning we assign a CVSS score of 0.0 None (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N).

To the list of all Werks