GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Jan 25, 2014 4:22 am Post subject: [ GLSA 201401-26 ] Zabbix: Shell command injection |
 |
|
Gentoo Linux Security Advisory
Title: Zabbix: Shell command injection (GLSA 201401-26)
Severity: high
Exploitable: remote
Date: January 23, 2014
Updated: June 02, 2014
Bug(s): #493250
ID: 201401-26
Synopsis
A vulnerability in Zabbix could allow remote attackers to execute
arbitrary shell code.
Background
Zabbix is software for monitoring applications, networks, and servers.
Affected Packages
Package: net-analyzer/zabbix
Vulnerable: < 2.0.9-r1
Unaffected: >= 2.0.9-r1
Architectures: All supported architectures
Description
If a flexible user parameter is configured in Zabbix agent, including a
newline in the parameters will execute newline section as a separate
command even if UnsafeUserParameters are disabled.
Impact
A remote attacker could possibly execute arbitrary shell code with the
privileges of the process.
Workaround
There is no known workaround at this time.
Resolution
All Zabbix 2.2 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-2.2.0-r4"
|
All Zabbix 2.0 users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-analyzer/zabbix-2.0.9-r1"
|
References
CVE-2013-6824
Last edited by GLSA on Tue Jun 03, 2014 4:32 am; edited 1 time in total |
|
News & Announcements
