[ZBX-15867] Security vulnerability when processing discovery contents from proxy - ZABBIX SUPPORT

XML

Word

Printable

Details

Type: Problem report
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.0.25, 4.0.6rc1
Fix Version/s: 3.0.26rc1, 4.0.6rc1, 4.2.0beta2, 4.2 (plan)
Component/s: Server (S)
Labels:
None

Team:
Team A
Sprint:
Sprint 49 (Feb 2019)
Story Points:
0.25

Description

It's possible to send specific network discovery contents to Zabbix server and make it to accept invalid DNS, resulting in such host being discovered:

Later if there are scripts that call HOST.DNS, for example script:

/usr/bin/traceroute {HOST.DNS}

It can open in something unexpected:

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

echo.png
54 kB
2019 Feb 20 17:56
traceroute.png
15 kB
2019 Feb 20 17:59

Issue Links

caused by

ZBX-12349 CVE-2017-2824 zabbix: Multiple vulnerabilities

Closed

Activity

People

Assignee:: Vladislavs Sokurenko

Reporter:: Vladislavs Sokurenko

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2019 Feb 20 18:01

Updated:: 2019 Mar 26 10:46

Resolved:: 2019 Mar 26 07:03