Security update for zabbix SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0384-1 Final 1 1 2024-12-01T17:01:25Z current 2024-12-01T17:01:25Z 2024-12-01T17:01:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zabbix This update for zabbix fixes the following issues: Zabbix was updated to 6.0.33: - this version fixes CVE-2024-36461 and CVE-2024-22114 - New Features and Improvements + ZBXNEXT-9000 Changed query table for ASM disk group metrics in Oracle Database plugin and Oracle by ODBC template Agent Templates + ZBXNEXT-9217 Added AWS Lambda by HTTP template Templates + ZBXNEXT-9293 Updated max supported MySQL version to 9.0 Proxy Server + ZBXNEXT-8657 Updated Zabbix health templates with new visualization Templates + ZBXNEXT-9143 Added index on auditlog recordsetid Server + ZBXNEXT-9081 Added Small Computer System Interface (SCSI) device type support to Zabbix agent 2 Smart plugin Agent + ZBXNEXT-6445 Added recovery expression for fuzzytime triggers in Linux and Windows templates, removed fuzzytime triggers from active agent templates Templates + ZBXNEXT-9201 Updated max supported MySQL version to 8.4 Proxy Server + ZBXNEXT-9225 Updated max supported TimescaleDB version to 2.15 Server + ZBXNEXT-9226 Updated max supported MariaDB version to 11.4 Proxy Server + ZBXNEXT-8868 Added discovery and template for Azure VM Scale Sets Templates - Bug Fixes + BX-24947 Fixed PHP runtime errors while processing frontend notifications Frontend + ZBX-24824 Improved loadable plugin connection broker Agent + ZBX-24583 Fixed inability to export/import web scenario with digest authentication API + ZBX-23905 Fixed double scroll in script dialogs Frontend + ZBX-18767 Fixed word breaks in flexible text input fields and trigger expressions Frontend + ZBX-24909 Fixed resolving of macro functions in the 'Item value' widget Frontend + ZBX-24859 Fixed JavaScript in S3 buckets discovery rule Templates + ZBX-24617 Fixed hardcoded region in AWS by HTTP template Templates + ZBX-24524 Fixed 'New values per second' statistic to include dependent items in calculation Proxy Server + ZBX-24821 Made 'execute_on' value being recorded in audit only for shell scripts Server + ZBX-23312 Fixed discovery edit form being saved incorrectly after dcheck update Frontend + ZBX-24773 Fixed duplicate item preprocessing in Kubernetes Kubelet by HTTP template Templates + ZBX-24514 Fixed standalone Zabbix server and Zabbix proxy not stopping when database is read-only Proxy Server + ZBX-23936 Fixed state and styling of readonly fields Frontend + ZBX-24520 Fixed an issue with incorrect translations used in several frontend places Frontend + ZBX-21815 Fixed issue with undefined offset for media type when it was deleted before saving the user Frontend + ZBX-24108 Fixed error in dashboard if Map widget contains map element that user doesn't have access to Frontend + ZBX-24569 Fixed old and added new items to Azure Virtual Machine template Templates + ZBX-24537 Fixed tags subfilter in Latest data kiosk mode Frontend + ZBX-24167 Fixed template linkage when item prototype collision is found Server + ZBX-23770 Improved monitoring user permissions documentation for Zabbix agent 2 Oracle plugin and Oracle by ODBC template Documentation + ZBX-24565 Removed redundant kernel header include, fixed musl compatibility issues (thanks to Alpine Linux maintainers for spotting this) + ZBX-24610 Fixed interface field appearance for discovered items without interface set Frontend + ZBX-24562 Fixed incorrect problem order in Problems by severity widget's hintbox Frontend + ZBX-23751 Fixed inability to pass an action filter condition without an 'operator' property, implying a default value of 'Equal' API + ZBX-21429 Prevented ability to disable all UI element access via role.update API API + ZBX-19271 Fixed inconsistent tag row rendering in different edit forms Frontend + ZBX-24539 Fixed incorrect threshold in trigger expression of Check Point Next Generation Firewall by SNMP template Templates + ZBX-24667 Fixed vm.memory.size[pused] item on Solaris Agent + ZBX-23781 Added storage volumes check in HPE iLO by HTTP template Templates + ZBX-24391 Fixed Zabbix agent to return net.tcp.socket.count result without error if IPv6 is disabled Agent + ZBX-24235 Fixed value misalignment in Item value widget Frontend + ZBX-24352 Fixed custom severity name usage in Geomap widget Frontend + ZBX-24665 Fixed potential problem with deprecated GCE Integrity feature Templates + ZBX-20993 Fixed Zabbix agent 2 MQTT plugin clientID to be generated by strict requirements Agent + ZBX-23426 Added dependent item with JavaScript preprocessing for edges SD-WAN in VMWare SD-WAN VeloCloud by HTTP template Templates + ZBX-24566 Fixed crash when expression macro is used in unsupported location Server + ZBX-24450 Fixed issue where graph could differ for data gathered from PostgreSQL and other databases Frontend + ZBX-24513 Fixed real-time export of rarely updated trends Server + ZBX-24163 Fixed submap addition in Map navigation tree widget to not append same submaps repeatedly Frontend + ZBX-23398 Fixed trigger expression constructor incorrectly showing '<' and '>' operators Frontend + ZBX-23584 Fixed error message being displayed when updating host after changing item status Frontend + ZBX-24635 Fixed datastore triggers in VMware templates Templates Update to 6.0.31: - New Features and Improvements + ZBXNEXT-9140 Added support for custom compartments in Oracle Cloud by HTTP templates Templates + ZBXNEXT-9034 Added Jira Data Center by JMX template Templates + ZBXNEXT-8682 Introduced a length limit of 512KB for item test values that server returns to Zabbix frontend Frontend Server + ZBXNEXT-8248 Added database filter macros to MySQL templates Templates + ZBXNEXT-6698 Removed absolute threshold and timeleft from OS template triggers of filesystem space Templates + ZBXNEXT-7930 Added user macro support for username and password fields in email media type Server + ZBXCTR-22 Refactored JavaScript filter functions for Kubernetes templates Templates + ZBXNEXT-9098 Added AWS ELB Network Load Balancer by HTTP template Templates + ZBXNEXT-6864 Replaced {HOST.CONN} with user macros in templates Templates + ZBXNEXT-9117 Updated max supported MariaDB version to 11.3 Proxy Server + ZBXNEXT-9026 Added Go compiler version to Zabbix agent 2 version output Agent + ZBXNEXT-8786 Changed 'odbc.discovery' keys to 'odbc.get' in MySQL by ODBC and Oracle by ODBC templates Templates + ZBXNEXT-8536 Added cbdhsvc service to macros in Windows agent templates Templates + ZBXNEXT-8861 Made changes and added more metrics to the FortiGate by SNMP template Templates + ZBXNEXT-8240 Added a new set of templates for integration with Oracle Cloud Infrastructure Templates - Bug Fixes + ZBX-24483 Improved memory usage in Zabbix server/proxy trappers and in proxy pollers when sending large configuration Proxy Server + ZBX-23073 Fixed URL widget resizing and dragging Frontend + ZBX-24574 Fixed HA node flipping between standby and active states Server + ZBX-24119 Fixed possible blocking of alert manager when it periodically pings database Server + ZBX-7998 Added VMware service username, password and URL check for empty values Proxy Server + ZBX-24402 Reduced main process connections to database during startup Proxy Server + ZBX-24369 Fixed filter behavior in monitoring pages after deleting filter parameters Frontend + ZBX-24484 Fixed Geomap widget console error when dragging map in widget edit mode Frontend + ZBX-23337 Improved supported version documentation for Oracle Database plugin and both templates Documentation + ZBX-24180 Fixed inability to import existing host or template when its dependent item prototype, which is used in trigger prototypes or graph prototypes, would have a different master item API + ZBX-20871 Fixed inability to use LLD macro functions in Prometheus pattern and labels used in item prototype preprocessing API + ZBX-24527 Fixed unnecessary loading text being displayed in hintbox preloader Frontend + ZBX-24362 Fixed wrong Zabbix agent 2 loadable plugin process handling catching all child process exits Agent + ZBX-24470 Fixed scale of VMware vmware.vm.memory.size.compressed key Proxy Server + ZBX-24415 Added triggers for datastores in VMware templates Templates + ZBX-18094 Fixed multiple pie graph issues related to calculation of item angles Frontend + ZBX-20766 Fixed confusing port binding error message Agent Proxy Server + ZBX-24481 Fixed inability to unset value map from existing item or item prototype by passing a version without valuemap parameter into configuration.import API + ZBX-24531 Fixed compile time data not being set for agent2 Agent + ZBX-24453 Implemented socket file cleanup when shutting down, added blocking of signals during important stages of startup Proxy Server + ZBX-24152 Fixed host form submission with Enter button if the form is opened in a popup and focus is in a flexible text area field Frontend + ZBX-23788 Added SNMP OID ifAlias in Network interfaces discovery Templates + ZBX-24482 Fixed the presence of the http_proxy field in the initial data Installation + ZBX-24210 Improved Zabbix agent 2 loadable plugin capacity code style Agent + ZBX-23951 Fixed issue of incorrect template matching when no UUID exists in export file API + ZBX-23953 Fixed CIDR network mask of VMware HV network interface Proxy Server + ZBX-24195 Fixed host IPMI username and password field max length Frontend + ZBX-24451 Added tags and changed a item in Proxmox template Templates + ZBX-23386 Fixed hintbox sizing to fit screen Frontend + ZBX-24024 Fixed OIDs for external sensors in APC UPC by SNMP templates Templates + ZBX-21751 Fixed node's loadavg item in Proxmox template Templates + ZBX-24315 Fixed linking template to host when some LLD macro paths already exist Server + ZBX-24172 Fixed Zabbix server issue with scheduled intervals on Feb 29th of leap year Server + ZBX-23407 Improved performance of retrieving last history values when primary keys are available API + ZBX-24246 Updated descriptions for family of MySQL and Oracle templates, changed macro in the trigger 'Tablespace utilization is too high' for family of Oracle templates Templates + ZBX-23988 Renamed Agent2 Go module + ZBX-24222 Fixed incorrect item OIDs in the FortiGate by SNMP template Templates + ZBX-24393 Updated README in Redis by Zabbix agent 2 template Templates + ZBX-24298 Allowed any JNDI service providers back in JMX monitoring Java gateway + ZBX-19990 Separated LLD filter macros in Apache Tomcat by JMX template Templates + ZBX-24364 Added preprocessing steps for LLD rules in RabbitMQ templates Templates + ZBX-24368 Improved PostgreSQL autovacuum's count query Templates + ZBX-24282 Fixed Zabbix proxy to report error for not supported items Proxy Server + ZBX-19507 Fixed vmware.eventlog item to recover after event keys are reset Server + ZBX-24241 Fixed Zabbix server issue with random order of host groups for a host during real-time export Server + ZBX-24275 Fixed item prototype JSONPath preprocessing, added missing volume health metric and triggers in HPE MSA templates Templates + ZBX-24316 Fixed username macro in GridGain by JMX template Templates + ZBX-23719 Updated plugin-support to add duplicate flag handling Agent + ZBX-22429 Fixed typo in Zabbix proxy automake file Installation + ZBX-24264 Fixed value cache being filled with values of newly added items with triggers Server + ZBX-24088 Fixed problem filtering in maps with nested maps Frontend + ZBX-24206 Fixed line breaks in JavaScript in Cloudflare template Templates + ZBX-24236 Fixed nested transaction error in LLD when connection is terminated Server + ZBX-24134 Added sensor discovery in VMware Hypervisor template Templates + ZBX-23918 Fixed item pattern select popup to display all available items Frontend + ZBX-24190 Fixed items being updated incorrectly when configuring graph Frontend + ZBX-24289 Fixed issue with interface assignment for items copied from host to host Frontend + ZBX-23032 Added triggers for cluster status in VMware templates Templates + ZBX-23948 Added support for TabularData data when parsing an MBean attribute Java gateway + ZBX-23742 Fixed tag filtering logic for tags with one name and different types of operators API + ZBX-24271 Added delay in JavaScript execution for Azure Cost Management by HTTP template Templates + ZBX-24208 Fixed Oracle, MySQL plugin connection cache blocking Agent + ZBX-24202 Fixed JavaScript in AWS S3 bucket by HTTP template Templates + ZBX-23478 Fixed issue when missing locale error would not be displayed for user under certain conditions Frontend + ZBX-24166 Fixed Zabbix not being able to restart due to RTC and sockets not being closed before stopping Agent Proxy Server + ZBX-23853 Fixed duplicate agent check timestamps when time shifts back due to system clock synchronization Agent The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-384 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C6HFPCXWPBUGZ3BE7T5OXXTSGEHUCHFU/ E-Mail link for openSUSE-SU-2024:0384-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1229198 SUSE Bug 1229198 https://bugzilla.suse.com/1229204 SUSE Bug 1229204 https://www.suse.com/security/cve/CVE-2024-22114/ SUSE CVE CVE-2024-22114 page https://www.suse.com/security/cve/CVE-2024-36461/ SUSE CVE CVE-2024-36461 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 system-user-zabbix-6.0.33-bp156.2.3.1 zabbix-agent-6.0.33-bp156.2.3.1 zabbix-java-gateway-6.0.33-bp156.2.3.1 zabbix-proxy-6.0.33-bp156.2.3.1 zabbix-proxy-mysql-6.0.33-bp156.2.3.1 zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 zabbix-server-6.0.33-bp156.2.3.1 zabbix-server-mysql-6.0.33-bp156.2.3.1 zabbix-server-postgresql-6.0.33-bp156.2.3.1 zabbix-ui-6.0.33-bp156.2.3.1 system-user-zabbix-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-agent-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-java-gateway-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-proxy-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-proxy-mysql-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-server-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-server-mysql-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-server-postgresql-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 zabbix-ui-6.0.33-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 system-user-zabbix-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-agent-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-java-gateway-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-proxy-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-proxy-mysql-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-server-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-server-mysql-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-server-postgresql-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 zabbix-ui-6.0.33-bp156.2.3.1 as a component of openSUSE Leap 15.6 User with no permission to any of the Hosts can access and view host count & other statistics through System Information Widget in Global View Dashboard. CVE-2024-22114 SUSE Package Hub 15 SP6:system-user-zabbix-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-agent-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-java-gateway-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-mysql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-mysql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-postgresql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-ui-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:system-user-zabbix-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-agent-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-java-gateway-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-mysql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-mysql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-postgresql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-ui-6.0.33-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C6HFPCXWPBUGZ3BE7T5OXXTSGEHUCHFU/ https://www.suse.com/security/cve/CVE-2024-22114.html CVE-2024-22114 https://bugzilla.suse.com/1229198 SUSE Bug 1229198 Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine. CVE-2024-36461 SUSE Package Hub 15 SP6:system-user-zabbix-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-agent-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-java-gateway-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-mysql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-mysql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-server-postgresql-6.0.33-bp156.2.3.1 SUSE Package Hub 15 SP6:zabbix-ui-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:system-user-zabbix-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-agent-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-java-gateway-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-mysql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-postgresql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-proxy-sqlite-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-mysql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-server-postgresql-6.0.33-bp156.2.3.1 openSUSE Leap 15.6:zabbix-ui-6.0.33-bp156.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/C6HFPCXWPBUGZ3BE7T5OXXTSGEHUCHFU/ https://www.suse.com/security/cve/CVE-2024-36461.html CVE-2024-36461 https://bugzilla.suse.com/1229204 SUSE Bug 1229204