Bug 1216211 (CVE-2023-32722)

Summary: VUL-0: CVE-2023-32722: zabbix: buffer overflow when parsing JSON files via zbx_json_open
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: abergmann, boris, stoyan.manolov, valentin.lefebvre
Version: unspecifiedFlags: stoyan.manolov: needinfo? (boris)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381646/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-32722:9.6:(AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-13 09:38:35 UTC 
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32722
Comment 1 Alexander Bergmann 2023-10-13 09:47:27 UTC 
https://support.zabbix.com/browse/ZBX-23390

Affected version/s and fix version/s:
* 6.0.0 - 6.0.20 / 6.0.21rc1
* 6.4.0 - 6.4.5 / 6.4.6rc1
* 7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4

The maintained SUSE code stream is only used to publish the zabbix-agent, therefore SLE-12 is not affected.

SUSE:SLE-12-SP3:Update  zabbix-4.0.12

The maintained openSUSE versions 4.0.47. It's unclear if we need a backport.

openSUSE:Backports:SLE-15-SP5  zabbix-4.0.47
openSUSE:Backports:SLE-15-SP6  zabbix-4.0.47


The openSUSE:Backports:SLE-15-SP6 could still be updated to a higher version. It's still possible to submit to the GA branch.
Comment 2 Boris Manojlovic 2023-10-17 21:07:09 UTC 
as 4.0.xx is LTS and zabbix did not release any information for 4.0.xx assumptions is that it is not affected.
Comment 3 Boris Manojlovic 2023-10-17 21:07:52 UTC 
new release is in pipeline
https://build.opensuse.org/request/show/1118376
Comment 5 Valentin Lefebvre 2023-12-06 09:58:02 UTC 
To give more precision, the CVE-2023-32722 is related to a stack-buffer overflow in the library function "zbx_jsonobj_open" from jsonobj.c. This library has been created from the 6.0.x version.

So, only zabbix's versions 6.x and 7.x are affected. Version in 4.x are not affected.

After seeing and studying the fix, FMHO, there is nothing to do for SUSE:SLE-12-SP3:Update and openSUSE:Backports:SLE-15-SPX.
I propose to close this bug.
Comment 8 Andrea Mattiazzo 2024-05-29 12:23:11 UTC 
All done, closing.