-
Defect (Security)
-
Resolution: Fixed
-
Critical
-
None
-
Team A
-
Sprint 83 (Dec 2021), Sprint 84 (Jan 2022), Sprint 85 (Feb 2022), Sprint 86 (Mar 2022), Sprint 87 (Apr 2022), Sprint 88 (May 2022), Sprint 89 (Jun 2022)
-
0.5
| CVE number | no CVE registered |
| CVSS score | - |
| Severity | Medium |
| Affected versions | 2.0-2.X 3.0-3.X 4.0.0 - 4.0.36 5.0.18 5.4.0 -5.4.8 6.0.0alpha1-6.0.0beta1 |
| Description | In Zabbix Java Gateway with logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. |
| Known attack vectors | A successful RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to zabbix_java_gateway_logback.xml; use of logback versions < 1.2.9; reloading of poisoned configuration data, which implies application restart or scan="true" set prior to the attack. An attacker with such privileges may get remote access to the server with Zabbix Java Gateway |
| Resolution | To remediate CVE-2021-42550 apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds. As an additional measure for the fixed versions, we also recommend checking permission to /etc/zabbix/zabbix_java_gateway_logback.xml file and set it read-only, if write permissions are available for “zabbix” user. |
| Workarounds | If an immediate update is not possible, check permissions for “zabbix” user:
|
- caused by
-
ZBXNEXT-555 remote monitoring of jmx applications
-
- Closed
-
