Bug 1196946 (CVE-2022-24918)

Summary: VUL-0: CVE-2022-24918: zabbix: Reflected XSS in item configuration window of Zabbix Frontend
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: boris, mvetter, pgajdos, sbrabec, smash_bz, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/325663/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-24918:3.7:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2022-03-10 07:53:40 UTC 
CVE-2022-24918

An authenticated user can create a link with reflected Javascript code inside it
for items’ page and send it to other users. The payload can be executed only
with a known CSRF token value of the victim, which is changed periodically and
is difficult to predict.
Malicious code has access to all the same objects as the rest of the web page
and can make arbitrary modifications to the contents of the page being displayed
to a victim during social engineering attacks.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24918
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24918
https://support.zabbix.com/browse/ZBX-20680
Comment 1 Petr Gajdos 2022-03-17 09:01:09 UTC 
Adding Boris to CC.
Comment 2 Stanislav Brabec 2022-03-17 22:22:44 UTC 
I read the referred upstream page.

It seems that the 9 referred commits are backported as a single commit to the version 4.0.39rc1: 763ff68f0e5, which is nearest to our SLE versions (4.0.12 and 4.0.31).

I took that patch and applied. Submitted:

SUSE:SLE-15-SP2:Update:Products:SES7:Update:
https://build.suse.de/request/show/267815

SUSE:SLE-12-SP3:Update:
https://build.suse.de/request/show/267816


Notes:
Please carefully check. I don't have insight to the package.
The changes file explicitly mentions an unfixed bug that is ignored by the upstream. If this will change before the release, feel free to delete this line.
Comment 3 Boris Manojlovic 2022-03-18 08:00:41 UTC 
4.0.X is LTS release of zabbix and as such no real need to keep it on artificial lower version instead of  latest release of 4.0.x zabbix branch - plan was to push package from factory to :updates for all currently supported releases of zabbix (package is accepted in Factory now)
Comment 4 Boris Manojlovic 2022-03-18 08:05:59 UTC 
(In reply to Boris Manojlovic from comment #3)
> 4.0.X is LTS release of zabbix and as such no real need to keep it on
> artificial lower version instead of  latest release of 4.0.x zabbix branch -
> plan was to push package from factory to :updates for all currently
> supported releases of zabbix (package is accepted in Factory now)

for all supported openSUSE and SUSE releases...
Comment 5 Petr Gajdos 2022-03-21 06:21:50 UTC 
(In reply to Boris Manojlovic from comment #3)
> 4.0.X is LTS release of zabbix and as such no real need to keep it on
> artificial lower version instead of  latest release of 4.0.x zabbix branch -
> plan was to push package from factory to :updates for all currently
> supported releases of zabbix (package is accepted in Factory now)

Boris, feel free to do so. Please feel free to reassign bugs to you next time so none other will look at them.
Comment 6 Petr Gajdos 2022-03-21 06:23:09 UTC 
(In reply to Boris Manojlovic from comment #4)
> (In reply to Boris Manojlovic from comment #3)
> > 4.0.X is LTS release of zabbix and as such no real need to keep it on
> > artificial lower version instead of  latest release of 4.0.x zabbix branch -
> > plan was to push package from factory to :updates for all currently
> > supported releases of zabbix (package is accepted in Factory now)
> 
> for all supported openSUSE and SUSE releases...

Well except 12sp3/zabbix for example, there would be an update quite problematic.
Comment 7 Petr Gajdos 2022-03-21 06:26:49 UTC 
(In reply to Petr Gajdos from comment #6)
> > for all supported openSUSE and SUSE releases...
> 
> Well except 12sp3/zabbix for example, there would be an update quite
> problematic.
<english>
..., an update would be quite problematic there.
</english>
Comment 8 Michael Vetter 2022-03-22 10:36:17 UTC 
I saw for some CVEs there were efforts done to backport the fixes.
Are we going to update to a new minor release now?
Comment 9 Petr Gajdos 2022-04-05 08:50:36 UTC 
This seems to be fixed now. Please reassign if something is missing.
Comment 10 Thomas Leroy 2022-04-19 07:21:17 UTC 
Released
Comment 11 Swamp Workflow Management 2022-04-19 10:21:14 UTC 
SUSE-SU-2022:1254-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196944,1196945,1196946,1196947
CVE References: CVE-2022-24349,CVE-2022-24917,CVE-2022-24918,CVE-2022-24919
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    zabbix-4.0.12-4.15.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.