CVE-2022-46302

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated Checkmk users to directly interact with the underlying Apache installation through reverse proxy configurations, enabling remote code execution with root privileges. It affects Checkmk versions 2.1.0p6 and earlier, 2.0.0p27 and earlier, and all versions of Checkmk 1.6.0 (which is end-of-life).

💻 Affected Systems

Products:

• Checkmk

Versions: Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, all versions of Checkmk 1.6.0

Operating Systems: Linux-based systems running Checkmk

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to Checkmk web interface. Checkmk 1.6.0 is end-of-life and will not receive patches.

📦 What is this software?

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

Checkmk by Checkmk

View all CVEs affecting Checkmk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level remote code execution, allowing complete control over the host, data exfiltration, and lateral movement.

🟠

Likely Case

Authenticated attackers gaining root shell access to the underlying operating system, enabling privilege escalation and persistence.

🟢

If Mitigated

Limited to authenticated user access with proper network segmentation and monitoring in place.

🌐 Internet-Facing: HIGH - If Checkmk is exposed to the internet, authenticated users can achieve root RCE.

🏢 Internal Only: HIGH - Even internally, authenticated users can exploit this for root access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in the reverse proxy configuration handling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Checkmk 2.1.0p7, Checkmk 2.0.0p28

Vendor Advisory: https://checkmk.com/werk/14281

Restart Required: Yes

Instructions:

1. Backup your Checkmk configuration. 2. Update to Checkmk 2.1.0p7 or 2.0.0p28 using your distribution's package manager. 3. Restart Checkmk services: 'omd restart' or 'systemctl restart checkmk'. 4. Verify the update with 'omd version'.

🔧 Temporary Workarounds

Restrict reverse proxy configuration access

linux

Limit which users can modify reverse proxy configurations through Checkmk's access control settings.

Copy

# Configure in Checkmk web interface under Setup > Users > Edit user permissions

Network segmentation

linux

Isolate Checkmk servers from critical infrastructure and implement strict firewall rules.

Copy

# Example iptables rule: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

• Immediately restrict Checkmk access to only trusted, necessary users and implement strict authentication controls.
• Implement network segmentation to isolate Checkmk servers and monitor for suspicious Apache configuration changes.

🔍 How to Verify

Check if Vulnerable:

Copy

Check your Checkmk version with 'omd version' or in the web interface under Help > About. If version is <=2.1.0p6, <=2.0.0p27, or any 1.6.0 version, you are vulnerable.

Check Version:

Copy

omd version

Verify Fix Applied:

Copy

After updating, verify version is 2.1.0p7 or higher, or 2.0.0p28 or higher. Test that authenticated users cannot modify Apache configurations through the reverse proxy interface.

📡 Detection & Monitoring

Log Indicators:

• Unusual Apache configuration changes in /omd/sites/[site]/etc/apache/conf.d/
• Suspicious commands executed as root from Checkmk processes
• Unexpected reverse proxy rule modifications

Network Indicators:

• Unusual outbound connections from Checkmk server to external systems
• SSH or other remote access attempts originating from Checkmk server

SIEM Query:

Copy

source="apache" OR source="checkmk" AND (event="configuration_change" OR event="reverse_proxy_modification")

📊 Metadata

CVE ID: CVE-2022-46302

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-829

Published: April 20, 2023

Last Updated: November 21, 2024

🔗 References

• https://checkmk.com/werk/14281 Mitigation,Vendor Advisory
• https://checkmk.com/werk/14281 Mitigation,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-46302, you might also want to check these:

CVE-2026-1699 10.0

This CVE describes a critical GitHub Actions vulnerability in Eclipse Theia's website repository whe...

Same vulnerability type (CWE-829)

CVE-2022-1161 10.0

This vulnerability allows attackers with program modification access to alter user program code on R...

Same vulnerability type (CWE-829)

CVE-2025-0982 10.0

A sandbox escape vulnerability in Google Cloud Application Integration's JavaScript Task feature all...

Same vulnerability type (CWE-829)