Bug 1213301 (CVE-2023-29449)

Summary:	VUL-0: CVE-2023-29449: zabbix: JavaScript can cause uncontrolled CPU, memory, and disk I/O utilization
Product:	[openSUSE] openSUSE Distribution	Reporter:	Stoyan Manolov <stoyan.manolov>
Component:	Network	Assignee:	Boris Manojlovic <boris>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P3 - Medium	CC:	boris, pgajdos, security-team
Version:	Leap 15.5
Target Milestone:	Leap 15.5
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/372378/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-29449:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Stoyan Manolov 2023-07-13 20:51:04 UTC

CVE-2023-29449

JavaScript preprocessing, webhooks and global scripts can cause uncontrolled CPU, memory, and disk I/O utilization. Preprocessing/webhook/global script configuration and testing are only available to Administrative roles (Admin and Superadmin). Administrative privileges should be typically granted to users who need to perform tasks that require more control over the system. The security risk is limited because not all users have this level of access.

Reference:
https://support.zabbix.com/browse/ZBX-22589

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-29449
https://bugzilla.redhat.com/show_bug.cgi?id=2222680
https://www.cve.org/CVERecord?id=CVE-2023-29449
https://support.zabbix.com/browse/ZBX-22589

Comment 1 Petr Gajdos 2023-07-19 10:24:00 UTC

Adding Boris, the openSUSE maintainer.

Comment 2 Petr Gajdos 2023-07-19 11:51:50 UTC

I think this:
https://github.com/zabbix/zabbix/commit/d38426356892b400ee0eb2669a1677365ee2c002

Comment 3 Petr Gajdos 2023-07-20 09:31:35 UTC

As far as I can see, zbxembed is not available in 4.0. With that I would consider 12sp3/zabbix unaffected.

Comment 6 Petr Gajdos 2023-07-20 11:30:30 UTC

Reassigning to Boris.

@Boris, if I am supposed to help somehow, fx. to send an Backports version update, let me know. Likewise, if you spot an error in my reasoning.

Comment 7 Boris Manojlovic 2023-07-20 20:41:22 UTC

(In reply to Petr Gajdos from comment #6)
> Reassigning to Boris.
> 
> @Boris, if I am supposed to help somehow, fx. to send an Backports version
> update, let me know. Likewise, if you spot an error in my reasoning.

that is correct, as can be seen in linked support ticket on zabbix site.
Fix Version/s 		6.4.0rc1 [ 21104 ]
Fix Version/s 		6.2.8rc1 [ 21103 ]
Fix Version/s 		6.0.14rc1 [ 21102 ]
Fix Version/s 		5.0.32rc1 [ 21100 ]

and we are on 6.0.17 version in Factory, and by the way if someone is admin on zabbix server (web interface) he almost by design has access to functionality that allows access to server (if agent is installed)