Security warning for Zabbix

Hello friends,

currently there seems to be a security problem with Zabbix.
But read for yourself: https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage

Regards…

Uwe

Updating to the latest version should be enough to be safe.

From the article you shared:

We highly recommend upgrading your instances running a Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19 or 4.0.37 to protect your infrastructure.

We use Zabbix 5, the most recent version is 5.0.20-1.

1 Like

This is only of concern when using SAML SSO authentication…

If using AD authentification, this is not an issue, something I have pointed out already in context of Single Sign On, eg LemonLDAP…

Then again, AD does not really provide SSO, it only provides a user / PW combination that can be used in several places with synched password changes. This is NOT the same as SSO, as in Zabbix with AD I still have to log in on the Web page, even if I am already logged in on the local Windows (or Linux) workstation.

SSO tendentially has less security, as a shortly vacated workstation can be misused in a large context, due to the need to login again with AD, this is less prone to misuse. (Or limits misuse to the workstation, not company applications or web pages…).

My 2 cents
Andy

2 Likes

Thanks @transocean for the heads-up.
The installation i use (not updated today) has this answer

[root@zabbix ~]# rpm -qa *zabbix*
zabbix-release-5.0-1.el7.noarch
zabbix-server-pgsql-5.0.20-1.el7.x86_64
nethserver-zabbix-agent-0.0.1-2.ns7.noarch
zabbix-agent2-5.0.20-1.el7.x86_64
nethserver-zabbix-0.0.1-10.ns7.noarch
zabbix-agent-5.0.20-1.el7.x86_64
zabbix-web-5.0.20-1.el7.noarch
[root@zabbix ~]#

Zabbix 5.0.20 has been released 31 Jan 2022, so if anyone is using the application and had it updated since (at least) 7 Feb 2022 should already have an updated version.
Anyway… due to release of kernel 3.10.0-1160.59.1.el7 time for update AND reboot.

3 Likes

Zabbix 5.0.21 has been published today.

1 Like