Bug 729162 (CVE-2011-2904, CVE-2011-3263, CVE-2011-3264)

Summary: CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < 1.8.6
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dan, jeff, nelsonab, volker27
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zabbix 1.8.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 19:33:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 729164, 729165    
Bug Blocks:    

Description Vincent Danen 2011-08-08 21:35:13 UTC
A vulnerability was reported [1],[2] in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user.  This could be used to facilitate a cross-site scripting attack.  This flaw is fixed in Zabbix 1.8.6 [3].

[1] http://secunia.com/advisories/45502
[2] https://support.zabbix.com/browse/ZBX-3835
[3] http://www.zabbix.com/rn1.8.6.php

Comment 1 Vincent Danen 2011-08-08 21:36:49 UTC
Created zabbix tracking bugs for this issue

Affects: fedora-all [bug 729164]
Affects: epel-all [bug 729165]

Comment 2 Vincent Danen 2011-08-10 17:54:12 UTC
This issue was assigned the name CVE-2011-2904.

Comment 3 Vincent Danen 2011-08-19 21:45:03 UTC
There were more issues corrected in zabbix 1.8.6, noted below:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2904 to
the following vulnerability:

Name: CVE-2011-2904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2904
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/08/2
Reference: http://www.openwall.com/lists/oss-security/2011/08/09/5
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=729162
Reference: https://support.zabbix.com/browse/ZBX-3835
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html
Reference: http://www.securityfocus.com/bid/49016
Reference: http://secunia.com/advisories/45502
Reference: http://secunia.com/advisories/45677
Reference: http://xforce.iss.net/xforce/xfdb/69025

Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix
before 1.8.6 allows remote attackers to inject arbitrary web script or
HTML via the backurl parameter.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3263 to
the following vulnerability:

Name: CVE-2011-3263
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3263
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3794

zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
context-dependent attackers to cause a denial of service (CPU
consumption) by executing the vfs.file.cksum command for a special
device, as demonstrated by the /dev/urandom device.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3264 to
the following vulnerability:

Name: CVE-2011-3264
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3264
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3840

Zabbix before 1.8.6 allows remote attackers to obtain sensitive
information via an invalid srcfld2 parameter to popup.php, which
reveals the installation path in an error message.

Comment 4 Vincent Danen 2011-08-19 21:45:58 UTC
Looks like we're ok on the Fedora side (1.8.6 in F14/F15, in testing for F16), and EPEL6 has 1.8.6 in testing as well.  I'm unsure whether or not all of these flaws affect EPEL4/5 though; it's at 1.4.6/1.4.7.

Comment 5 Volker Fröhlich 2013-01-22 15:58:01 UTC
Only EPEL 5 should be left:

https://support.zabbix.com/browse/ZBX-3840?focusedCommentId=74131#comment-74131

Comment 6 Volker Fröhlich 2014-01-06 19:33:48 UTC
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing.

Users are encouraged to update to zabbix20 or later.