Bugzilla – Bug 1216211
VUL-0: CVE-2023-32722: zabbix: buffer overflow when parsing JSON files via zbx_json_open
Last modified: 2024-05-29 12:23:11 UTC
The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow when parsing JSON files via zbx_json_open. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-32722
https://support.zabbix.com/browse/ZBX-23390 Affected version/s and fix version/s: * 6.0.0 - 6.0.20 / 6.0.21rc1 * 6.4.0 - 6.4.5 / 6.4.6rc1 * 7.0.0alpha1 - 7.0.0alpha3 / 7.0.0alpha4 The maintained SUSE code stream is only used to publish the zabbix-agent, therefore SLE-12 is not affected. SUSE:SLE-12-SP3:Update zabbix-4.0.12 The maintained openSUSE versions 4.0.47. It's unclear if we need a backport. openSUSE:Backports:SLE-15-SP5 zabbix-4.0.47 openSUSE:Backports:SLE-15-SP6 zabbix-4.0.47 The openSUSE:Backports:SLE-15-SP6 could still be updated to a higher version. It's still possible to submit to the GA branch.
as 4.0.xx is LTS and zabbix did not release any information for 4.0.xx assumptions is that it is not affected.
new release is in pipeline https://build.opensuse.org/request/show/1118376
To give more precision, the CVE-2023-32722 is related to a stack-buffer overflow in the library function "zbx_jsonobj_open" from jsonobj.c. This library has been created from the 6.0.x version. So, only zabbix's versions 6.x and 7.x are affected. Version in 4.x are not affected. After seeing and studying the fix, FMHO, there is nothing to do for SUSE:SLE-12-SP3:Update and openSUSE:Backports:SLE-15-SPX. I propose to close this bug.
All done, closing.