Security update for zabbix SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:0036-1 Final 1 1 2022-02-16T09:04:51Z current 2022-02-16T09:04:51Z 2022-02-16T09:04:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zabbix This update for zabbix fixes the following issues: - Updated to latest realease 4.0.37. Security issues fixed: - CVE-2022-23134: Fixed possible view of the setup pages by unauthenticated users if config file already exists (boo#1194681). - CVE-2021-27927: Fixed CSRF protection mechanism inside CControllerAuthenticationUpdate controller (boo#1183014). - CVE-2020-15803: Fixed stored XSS in the URL Widget (boo#1174253). Bugfixes: - boo#1181400: Added hardening to systemd service(s) - boo#1144018: Restructured for easier maintenance because FATE#324346 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-36 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EDFZEEJCPRPPDEWV6JULRJZVSQCMYOEY/ E-Mail link for openSUSE-SU-2022:0036-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1144018 SUSE Bug 1144018 https://bugzilla.suse.com/1174253 SUSE Bug 1174253 https://bugzilla.suse.com/1181400 SUSE Bug 1181400 https://bugzilla.suse.com/1183014 SUSE Bug 1183014 https://bugzilla.suse.com/1194681 SUSE Bug 1194681 https://www.suse.com/security/cve/CVE-2020-15803/ SUSE CVE CVE-2020-15803 page https://www.suse.com/security/cve/CVE-2021-27927/ SUSE CVE CVE-2021-27927 page https://www.suse.com/security/cve/CVE-2022-23134/ SUSE CVE CVE-2022-23134 page openSUSE Leap 15.3 zabbix-agent-4.0.37-lp153.2.3.1 zabbix-java-gateway-4.0.37-lp153.2.3.1 zabbix-phpfrontend-4.0.37-lp153.2.3.1 zabbix-proxy-4.0.37-lp153.2.3.1 zabbix-proxy-mysql-4.0.37-lp153.2.3.1 zabbix-proxy-postgresql-4.0.37-lp153.2.3.1 zabbix-proxy-sqlite-4.0.37-lp153.2.3.1 zabbix-server-4.0.37-lp153.2.3.1 zabbix-server-mysql-4.0.37-lp153.2.3.1 zabbix-server-postgresql-4.0.37-lp153.2.3.1 zabbix-agent-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-java-gateway-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-phpfrontend-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-proxy-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-proxy-mysql-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-proxy-postgresql-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-proxy-sqlite-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-server-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-server-mysql-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 zabbix-server-postgresql-4.0.37-lp153.2.3.1 as a component of openSUSE Leap 15.3 Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. CVE-2020-15803 openSUSE Leap 15.3:zabbix-agent-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-java-gateway-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-phpfrontend-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-postgresql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-sqlite-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-postgresql-4.0.37-lp153.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EDFZEEJCPRPPDEWV6JULRJZVSQCMYOEY/ https://www.suse.com/security/cve/CVE-2020-15803.html CVE-2020-15803 https://bugzilla.suse.com/1174253 SUSE Bug 1174253 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. CVE-2021-27927 openSUSE Leap 15.3:zabbix-agent-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-java-gateway-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-phpfrontend-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-postgresql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-sqlite-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-postgresql-4.0.37-lp153.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EDFZEEJCPRPPDEWV6JULRJZVSQCMYOEY/ https://www.suse.com/security/cve/CVE-2021-27927.html CVE-2021-27927 https://bugzilla.suse.com/1183014 SUSE Bug 1183014 After the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. Malicious actor can pass step checks and potentially change the configuration of Zabbix Frontend. CVE-2022-23134 openSUSE Leap 15.3:zabbix-agent-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-java-gateway-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-phpfrontend-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-postgresql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-proxy-sqlite-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-mysql-4.0.37-lp153.2.3.1 openSUSE Leap 15.3:zabbix-server-postgresql-4.0.37-lp153.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EDFZEEJCPRPPDEWV6JULRJZVSQCMYOEY/ https://www.suse.com/security/cve/CVE-2022-23134.html CVE-2022-23134 https://bugzilla.suse.com/1194681 SUSE Bug 1194681