Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 4 Dec 2016 16:18:27 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: mprpic@...hat.com, cve-assign@...re.org,
	James Cowgill <jcowgill@...ian.org>
Subject: Re: Re: RCE in Zabbix 2.2 to 3.0.3

Hi

On Tue, Nov 01, 2016 at 02:17:05PM -0400, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > https://www.exploit-db.com/exploits/39937/
> > Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution
> 
> > /api_jsonrpc.php
> 
> > "method": "script.update",
> 
> > "command": ""+cmd+""
> 
> Use CVE-2016-9140.

This has later on been reported upstream, as
https://support.zabbix.com/browse/ZBX-11483 . Upstream believes that
this is not a vulnerability, but a superadmin able to use a feature as
intended. Cf. 

https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202709&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202709
and
https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202789&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202789

As such this might be actually be REJECTed. Martin and CVE assigning
team from MITRE, does this look correct? Should the CVE be rejected
instead?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ