Security update for zabbix SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:0990-1 Final 1 1 2021-03-30T15:59:13Z current 2021-03-30T15:59:13Z 2021-03-30T15:59:13Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zabbix This update for zabbix fixes the following issues: - CVE-2021-27927: Fixed an improper CSRF protection mechanism (bsc#1183014). - CVE-2013-7484: Fixed an issue where passwords in the users table were unsalted (bsc#1158321). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-990,SUSE-SLE-SERVER-12-SP5-2021-990 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20210990-1/ Link for SUSE-SU-2021:0990-1 https://lists.suse.com/pipermail/sle-security-updates/2021-March/008571.html E-Mail link for SUSE-SU-2021:0990-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1158321 SUSE Bug 1158321 https://bugzilla.suse.com/1183014 SUSE Bug 1183014 https://www.suse.com/security/cve/CVE-2013-7484/ SUSE CVE CVE-2013-7484 page https://www.suse.com/security/cve/CVE-2021-27927/ SUSE CVE CVE-2021-27927 page SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 zabbix-agent-4.0.12-4.12.1 zabbix-java-gateway-4.0.12-4.12.1 zabbix-phpfrontend-4.0.12-4.12.1 zabbix-proxy-4.0.12-4.12.1 zabbix-proxy-mysql-4.0.12-4.12.1 zabbix-proxy-postgresql-4.0.12-4.12.1 zabbix-proxy-sqlite-4.0.12-4.12.1 zabbix-server-4.0.12-4.12.1 zabbix-server-mysql-4.0.12-4.12.1 zabbix-server-postgresql-4.0.12-4.12.1 zabbix-agent-4.0.12-4.12.1 as a component of SUSE Linux Enterprise Server 12 SP5 zabbix-agent-4.0.12-4.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 Zabbix before 5.0 represents passwords in the users table with unsalted MD5. CVE-2013-7484 SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.12.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210990-1/ https://www.suse.com/security/cve/CVE-2013-7484.html CVE-2013-7484 https://bugzilla.suse.com/1158321 SUSE Bug 1158321 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. CVE-2021-27927 SUSE Linux Enterprise Server 12 SP5:zabbix-agent-4.0.12-4.12.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:zabbix-agent-4.0.12-4.12.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20210990-1/ https://www.suse.com/security/cve/CVE-2021-27927.html CVE-2021-27927 https://bugzilla.suse.com/1183014 SUSE Bug 1183014