Bug 729162 - (CVE-2011-2904, CVE-2011-3263, CVE-2011-3264) CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < 1.8.6
CVE-2011-2904 CVE-2011-3263 CVE-2011-3264 zabbix: multiple flaws in zabbix < ...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110804,reported=20110804,sou...
: Security
Depends On: 729164 729165
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-08 17:35 EDT by Vincent Danen
Modified: 2014-01-06 14:33 EST (History)
4 users (show)

See Also:
Fixed In Version: zabbix 1.8.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-06 14:33:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-08-08 17:35:13 EDT
A vulnerability was reported [1],[2] in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user.  This could be used to facilitate a cross-site scripting attack.  This flaw is fixed in Zabbix 1.8.6 [3].

[1] http://secunia.com/advisories/45502
[2] https://support.zabbix.com/browse/ZBX-3835
[3] http://www.zabbix.com/rn1.8.6.php
Comment 1 Vincent Danen 2011-08-08 17:36:49 EDT
Created zabbix tracking bugs for this issue

Affects: fedora-all [bug 729164]
Affects: epel-all [bug 729165]
Comment 2 Vincent Danen 2011-08-10 13:54:12 EDT
This issue was assigned the name CVE-2011-2904.
Comment 3 Vincent Danen 2011-08-19 17:45:03 EDT
There were more issues corrected in zabbix 1.8.6, noted below:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2904 to
the following vulnerability:

Name: CVE-2011-2904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2904
Assigned: 20110727
Reference: http://www.openwall.com/lists/oss-security/2011/08/08/2
Reference: http://www.openwall.com/lists/oss-security/2011/08/09/5
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=729162
Reference: https://support.zabbix.com/browse/ZBX-3835
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063904.html
Reference: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063884.html
Reference: http://www.securityfocus.com/bid/49016
Reference: http://secunia.com/advisories/45502
Reference: http://secunia.com/advisories/45677
Reference: http://xforce.iss.net/xforce/xfdb/69025

Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix
before 1.8.6 allows remote attackers to inject arbitrary web script or
HTML via the backurl parameter.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3263 to
the following vulnerability:

Name: CVE-2011-3263
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3263
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3794

zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows
context-dependent attackers to cause a denial of service (CPU
consumption) by executing the vfs.file.cksum command for a special
device, as demonstrated by the /dev/urandom device.


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3264 to
the following vulnerability:

Name: CVE-2011-3264
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3264
Assigned: 20110819
Reference: http://www.zabbix.com/rn1.8.6.php
Reference: https://support.zabbix.com/browse/ZBX-3840

Zabbix before 1.8.6 allows remote attackers to obtain sensitive
information via an invalid srcfld2 parameter to popup.php, which
reveals the installation path in an error message.
Comment 4 Vincent Danen 2011-08-19 17:45:58 EDT
Looks like we're ok on the Fedora side (1.8.6 in F14/F15, in testing for F16), and EPEL6 has 1.8.6 in testing as well.  I'm unsure whether or not all of these flaws affect EPEL4/5 though; it's at 1.4.6/1.4.7.
Comment 5 Volker Fröhlich 2013-01-22 10:58:01 EST
Only EPEL 5 should be left:

https://support.zabbix.com/browse/ZBX-3840?focusedCommentId=74131#comment-74131
Comment 6 Volker Fröhlich 2014-01-06 14:33:48 EST
zabbix 1.4.7 was retired and blocked in EPEL 5, as there is no upstream support for this version. This was the only remaining version potentially or actually prone to this issue, thus closing.

Users are encouraged to update to zabbix20 or later.

Note You need to log in before you can comment on or make changes to this bug.