Zabbix Server Product Security Update Advisory (CVE-2024-22116, CVE-2024-36461)
Overview
An update has been released to address vulnerabilities in Zabbix Server products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-22116
- Zabbix Server versions: 6.4.0 (inclusive) ~ 6.4.15 (inclusive)
- Zabbix Server versions: 7.0.0alpha1 (inclusive) ~ 7.0.0rc2 (inclusive)
CVE-2024-36461
- Zabbix Server versions: 6.0.0 (inclusive) ~ 6.0.30 (inclusive)
- Zabbix Server versions: 6.4.0 (inclusive) ~ 6.4.15 (inclusive)
- Zabbix Server versions: 7.0.0alpha1 (inclusive) ~ 7.0.0 (inclusive)
Resolved Vulnerabilities
Vulnerability that allows an administrator with limited privileges to exploit script execution functionality within the Monitoring Hosts section (CVE-2024-22116)
Vulnerability within Zabbix that could allow a user to directly modify memory pointers in the JavaScript engine (CVE-2024-36461)
Vulnerability Patches
With the latest update, the following product-specific Vulnerability Patches have been made available Please follow the instructions on the Referenced Sites[1] to update to the latest Vulnerability Patches version.
CVE-2024-22116
- Zabbix Server version: 6.4.16rc1
- Zabbix Server version: 7.0.0rc3
CVE-2024-36461
- Zabbix Server version: 6.0.31rc1
- Zabbix Server version: 6.4.16rc1
- Zabbix Server version: 7.0.1rc1
References
[1] Remote code execution within ping script (CVE-2024-22116)
https://support.zabbix.com/browse/ZBX-25016
[2] Direct access to memory pointers within the JS engine for modification (CVE-2024-36461)