| CVE number |
no CVE registered |
| CVSS score |
- |
| Severity |
Medium |
| Affected versions |
2.0-2.X
3.0-3.X
4.0.0 - 4.0.36
5.0.18
5.4.0 -5.4.8
6.0.0alpha1-6.0.0beta1 |
| Description |
In Zabbix Java Gateway with logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. |
| Known attack vectors |
A successful RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to zabbix_java_gateway_logback.xml; use of logback versions < 1.2.9; reloading of poisoned configuration data, which implies application restart or scan="true" set prior to the attack. An attacker with such privileges may get remote access to the server with Zabbix Java Gateway |
| Resolution |
To remediate CVE-2021-42550 apply the updates listed in the 'Fixed Version' section to appropriate products or if an immediate update is not possible, follow the presented below workarounds.
As an additional measure for the fixed versions, we also recommend checking permission to /etc/zabbix/zabbix_java_gateway_logback.xml file and set it read-only, if write permissions are available for “zabbix” user. |
| Workarounds |
If an immediate update is not possible, check permissions for “zabbix” user:
- /etc/zabbix/zabbix_java_gateway_logback.xml file permissions are set to read-only only;
- the user cannot restart Zabbix Java Gateway service.
|
Team A