Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20161204151827.w6cvq2enbqdg4ido@eldamar.local>
Date: Sun, 4 Dec 2016 16:18:27 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: mprpic@...hat.com, cve-assign@...re.org,
	James Cowgill <jcowgill@...ian.org>
Subject: Re: Re: RCE in Zabbix 2.2 to 3.0.3

Hi

On Tue, Nov 01, 2016 at 02:17:05PM -0400, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > https://www.exploit-db.com/exploits/39937/
> > Zabbix 2.2 < 3.0.3 - API JSON-RPC Remote Code Execution
> 
> > /api_jsonrpc.php
> 
> > "method": "script.update",
> 
> > "command": ""+cmd+""
> 
> Use CVE-2016-9140.

This has later on been reported upstream, as
https://support.zabbix.com/browse/ZBX-11483 . Upstream believes that
this is not a vulnerability, but a superadmin able to use a feature as
intended. Cf. 

https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202709&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202709
and
https://support.zabbix.com/browse/ZBX-11483?focusedCommentId=202789&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-202789

As such this might be actually be REJECTed. Martin and CVE assigning
team from MITRE, does this look correct? Should the CVE be rejected
instead?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.