Two vulnerabilities in the Zabbix server were reported by the Cisco TALOS.
CVE-2017-2824
TALOS-2017-0325
Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability
An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X . A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.
http://www.talosintelligence.com/reports/TALOS-2017-0325/CVE-2017-2825
TALOS-2017-0326
Zabbix Proxy Server SQL Database Write Vulnerability
An exploitable database write vulnerability exists in the trapper functionality of Zabbix Server 2.4.X . Specifically crafted trapper packets can pass database logic checks, resulting in database writes. An attacker set up a Man-in-the-Middle server to alter trapper requests made between an active Zabbix proxy and Server to trigger this vulnerability.
http://www.talosintelligence.com/reports/TALOS-2017-0326/
Created zabbix tracking bugs for this issue:
Affects: epel-6 [bug 1448394]
Affects: openshift-1 [bug 1448396]
Created zabbix20 tracking bugs for this issue:
Affects: epel-all [bug 1448393]
Created zabbix22 tracking bugs for this issue:
Affects: epel-all [bug 1448395]