Hello friends,
currently there seems to be a security problem with Zabbix.
But read for yourself: https://blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage
Regards…
Uwe
Updating to the latest version should be enough to be safe.
From the article you shared:
We highly recommend upgrading your instances running a Zabbix Web Frontend to 6.0.0beta2, 5.4.9, 5.0.19 or 4.0.37 to protect your infrastructure.
We use Zabbix 5, the most recent version is 5.0.20-1.
1 Like
This is only of concern when using SAML SSO authentication…
If using AD authentification, this is not an issue, something I have pointed out already in context of Single Sign On, eg LemonLDAP…
Then again, AD does not really provide SSO, it only provides a user / PW combination that can be used in several places with synched password changes. This is NOT the same as SSO, as in Zabbix with AD I still have to log in on the Web page, even if I am already logged in on the local Windows (or Linux) workstation.
SSO tendentially has less security, as a shortly vacated workstation can be misused in a large context, due to the need to login again with AD, this is less prone to misuse. (Or limits misuse to the workstation, not company applications or web pages…).
My 2 cents
Andy
2 Likes
Thanks @transocean for the heads-up.
The installation i use (not updated today) has this answer
[root@zabbix ~]# rpm -qa *zabbix*
zabbix-release-5.0-1.el7.noarch
zabbix-server-pgsql-5.0.20-1.el7.x86_64
nethserver-zabbix-agent-0.0.1-2.ns7.noarch
zabbix-agent2-5.0.20-1.el7.x86_64
nethserver-zabbix-0.0.1-10.ns7.noarch
zabbix-agent-5.0.20-1.el7.x86_64
zabbix-web-5.0.20-1.el7.noarch
[root@zabbix ~]#
Zabbix 5.0.20 has been released 31 Jan 2022, so if anyone is using the application and had it updated since (at least) 7 Feb 2022 should already have an updated version.
Anyway… due to release of kernel 3.10.0-1160.59.1.el7 time for update AND reboot.
3 Likes
Zabbix 5.0.21 has been published today.
1 Like