Dear Alexej,

the mentioned release fixes unauthenticated remote SQLi and Code Execution vulnerabilities.

I'm very disappointed that this is mentioned by no single word in all the announcement mails. Instead, one can find some hints about security fixes in like line 58 of the Release Notes - right after such important things like 1000x faster graphs, updated bundled fonts and translation changes. Please don't expect every user of Zabbix to read the full Release Notes for every release within the first hour.

Very similar to the way described here at corelan, our Zabbix server got hacked yesterday, just because we were not aware that there were security issues within it. Excuse us to not upgrade to every patch-level release immediately. There's just no reason to do so, if we are not waiting for certain bug fixes. Luckily, we don't allow RemoteCommands, otherwise the whole infrastructure could have been compromised.

Furthermore, while searching why the server could have been hacked (an rkhunter warning informed us about it), I've been searching (unsuccessfully) in CVE databases first. This might be caused by the fact that the corresponding entry (CVE-2013-5743) is still empty.

Some suggestions to improve this situation in case of further security fixes:

- clearly state in the announce-mails and here in the forum whether a release is bug-fix-only, bug-fix+feature or contains security fixes.
- clearly state in the release notes at the very top, when a release contains security fixes. Don't expect people to go through the list of all the changes. Still, place security issues on top of the list.
- write a dedicated security bulletin and inform users about the vulnerabilities
- describe, under what circumstances an issue can be exploited and what possible workarounds are. If not in a security bulletin, then in the release notes. I found such information nowhere - not on the zabbix web site and also not in the wiki. Remember that I know we got hacked, but tried to find out, how. Thus, it was important to know, if the SQLi vulnerabilities e.g. require an authenticated user or not.
- in case of such heavy vulnerabilities (remotely exploitable), think of pre-announcing the security fix. People can then plan ahead and reserve a time-slot to be save in a very short amount of time
- complete CVE information ASAP

I hope this helps to improve the situation for upcoming security releases.

Yours
Steffen

Steffen,

I apologize for the vulnerability and the way it was announced. We didn't have much experience of making security-related announcements, our priority was to have the security fix released asap.

The process will be improved, thank you for the great suggestions.

All technical information about the problem has already been provided to the security researchers long time ago, I am not sure why CVE-2013-5743 doesn't have all relevant details.

Alexei

Thanks Alexei, that was way better!

Thanks for your efforts
Steffen

btw, if anybody knows how to get cve information populated, let me know. we have sent the info using the same channel assignment is obtained, but i guess the receiving end is overwhelmed by such emails

I agree. Separate announcements could be made in this forum for security issues with any ways of mitigating the attack and a version in which it is patched. This way at least everyone on here would know about it.

Be nice to have a way of signing up for notification of advisories (such as this) and new releases. A separate channel would be needed for alpha and beta releases