This fixes CVSS 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C. The description:
The check_mk applications uses insecure API calls, which allow an attacker
to execute arbitrary code on the server by issuing just a single URL. The
reason for this is the usage of the insecure "pickle" API call. Apparently
this was modified as a security means from a former version, which used
"eval"-like structures with untrusted input data. Anyhow, as the python API
documentation clearly state, "pickle" should be considered unsafe as well,
The fix replaces pickle with a module called ast. Unfortunately
this module is not available on Centos/RedHat 5.X and Debian 5. On these
systems WATO still uses pickle, even with this fix.
Note: This change makes the current Check_MK versions incompatible
to older versions. In a mixed environment with old and new Check_MK versions or with old
and newer Python versions you have to force WATO to use the old
unsafe method by setting wato_legacy_eval = True in multisite.mk.
This can also be done with the new global WATO setting Use unsafe legacy
encoding for distributed WATO.
To the list of all Werks