Zabbix 6 취약 PHP 버전 업그레이드 (php 7.4 -> 8.2)
목차
01. CVE 취약점 내용
취약점 이름
Obsolete Version of PHP
취약점 내용
지원되지 않는 버전의 PHP에는 방치되지 않은 보안 결함이 포함될 수 있습니다. 지원되는 버전으로 업그레이드하는 것이 좋습니다.
조치 방법
최신 버전의 PHP로 업그레이드하십시오http://www.php.net/downloads.php에서 업그레이드를 다운로드하여 적용하십시오PHP의 최신 버전은 8.2.8입니다
내용 정리
Zabbix 6에서 사용하는 PHP 버전이 취약 버전으로 최신 버전인 8.2.8 이상으로 올려야 한다.
02. Zabbix 환경
자빅스 버전 : v6.2.6
PHP 버전 : 7.4.33
03. PHP 버전 업그레이드 방법
03-1. 공식 홈페이지 6.2.8 Release Note에서 언급된 PHP 8.2
Zabbix 6.2.8rc2 버전부터 PHP 8.2 지원이 추가되었다는 내용을 확인 하였다.
현재 버전이 6.2.8 보다 낮기에 가장 최신 버전인 6.2.9로 업그레이드하여 PHP 8.2를 사용하도록 해보자
03-2. dnf를 이용한 PHP Module 변경
시스템에서 사용하는 PHP Module이 뭐가 있는지 확인하기
[shjo@test-zabbix ~]$ sudo dnf module list | grep php
php 7.2 [d] common [d], devel, minimal PHP scripting language
php 7.2 [d] common [d], devel, minimal PHP scripting language
php 7.3 common [d], devel, minimal PHP scripting language
php 7.3 common [d], devel, minimal PHP scripting language
php 7.4 common [d], devel, minimal PHP scripting language
php 7.4 common [d], devel, minimal PHP scripting language
php 8.0 common [d], devel, minimal PHP scripting language
php 8.0 common [d], devel, minimal PHP scripting language
php remi-7.2 common [d], devel, minimal PHP scripting language
php remi-7.2 common [d], devel, minimal PHP scripting language
php remi-7.3 common [d], devel, minimal PHP scripting language
php remi-7.3 common [d], devel, minimal PHP scripting language
php remi-7.4 [e] common [d], devel, minimal PHP scripting language
php remi-7.4 [e] common [d], devel, minimal PHP scripting language
php remi-8.0 common [d], devel, minimal PHP scripting language
php remi-8.0 common [d], devel, minimal PHP scripting language
php remi-8.1 common [d], devel, minimal PHP scripting language
php remi-8.1 common [d], devel, minimal PHP scripting language
php remi-8.2 common [d], devel, minimal PHP scripting language
php remi-8.2 common [d], devel, minimal PHP scripting language
php remi-8.3 common [d], devel, minimal PHP scripting language먼저 PHP를 초기화 한다.
shjo@test-zabbix:~$ sudo dnf module reset php
Last metadata expiration check: 0:13:55 ago on Thu 18 Jan 2024 10:42:52 AM KST.
Dependencies resolved.
===========================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================
Resetting modules:
php
Transaction Summary
===========================================================================================================================================================================================
Is this ok [y/N]: y
Complete!PHP 8.2 버전을 활성화 한다.
[shoj@test-zabbix ~]$ sudo dnf module enable php:remi-8.2
Last metadata expiration check: 0:46:35 ago on Thu 18 Jan 2024 08:30:59 AM KST.
Dependencies resolved.
===========================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================
Enabling module streams:
php remi-8.2
Transaction Summary
===========================================================================================================================================================================================
Is this ok [y/N]: y
Complete!PHP 모듈을 전환한다
[shjo@test-zabbix ~]$ sudo dnf module switch-to php:remi-8.2
Last metadata expiration check: 0:47:24 ago on Thu 18 Jan 2024 08:30:59 AM KST.
Dependencies resolved.
===========================================================================================================================================================================================
Package Architecture Version Repository Size
===========================================================================================================================================================================================
Upgrading:
php x86_64 8.2.15-1.el8.remi remi-modular 1.8 M
php-bcmath x86_64 8.2.15-1.el8.remi remi-modular 94 k
php-cli x86_64 8.2.15-1.el8.remi remi-modular 5.4 M
php-common x86_64 8.2.15-1.el8.remi remi-modular 1.3 M
replacing php-json.x86_64 7.4.33-1.el8.remi
php-fpm x86_64 8.2.15-1.el8.remi remi-modular 1.9 M
php-gd x86_64 8.2.15-1.el8.remi remi-modular 110 k
php-ldap x86_64 8.2.15-1.el8.remi remi-modular 109 k
php-mbstring x86_64 8.2.15-1.el8.remi remi-modular 581 k
php-mysqlnd x86_64 8.2.15-1.el8.remi remi-modular 262 k
php-opcache x86_64 8.2.15-1.el8.remi remi-modular 643 k
php-pdo x86_64 8.2.15-1.el8.remi remi-modular 170 k
php-sodium x86_64 8.2.15-1.el8.remi remi-modular 109 k
php-xml x86_64 8.2.15-1.el8.remi remi-modular 263 k
Transaction Summary
===========================================================================================================================================================================================
Upgrade 13 Packages
Total download size: 13 M
Is this ok [y/N]: y
Downloading Packages:
(1/13): php-bcmath-8.2.15-1.el8.remi.x86_64.rpm 89 kB/s | 94 kB 00:01
.....
Verifying : php-sodium-8.2.15-1.el8.remi.x86_64 24/27
Verifying : php-sodium-7.4.33-1.el8.remi.x86_64 25/27
Verifying : php-xml-8.2.15-1.el8.remi.x86_64 26/27
Verifying : php-xml-7.4.33-1.el8.remi.x86_64 27/27
Upgraded:
php-8.2.15-1.el8.remi.x86_64 php-bcmath-8.2.15-1.el8.remi.x86_64 php-cli-8.2.15-1.el8.remi.x86_64 php-common-8.2.15-1.el8.remi.x86_64 php-fpm-8.2.15-1.el8.remi.x86_64
php-gd-8.2.15-1.el8.remi.x86_64 php-ldap-8.2.15-1.el8.remi.x86_64 php-mbstring-8.2.15-1.el8.remi.x86_64 php-mysqlnd-8.2.15-1.el8.remi.x86_64 php-opcache-8.2.15-1.el8.remi.x86_64
php-pdo-8.2.15-1.el8.remi.x86_64 php-sodium-8.2.15-1.el8.remi.x86_64 php-xml-8.2.15-1.el8.remi.x86_64
Complete!시스템 상에서 PHP 버전이 바뀌었는지 확인한다.
[shjox@test-zabbix ~]$ php -v
PHP 8.2.15 (cli) (built: Jan 16 2024 12:19:32) (NTS gcc x86_64)
Copyright (c) The PHP Group
Zend Engine v4.2.15, Copyright (c) Zend Technologies
with Zend OPcache v8.2.15, Copyright (c), by Zend Technologies
[shjo@test-zabbix ~]$ php-fpm -v
PHP 8.2.15 (fpm-fcgi) (built: Jan 16 2024 12:19:32)
Copyright (c) The PHP Group
Zend Engine v4.2.15, Copyright (c) Zend Technologies
with Zend OPcache v8.2.15, Copyright (c), by Zend Technologies03-3. Zabbix 6 Minor 버전 업그레이드
설치된 zabbix 패키지를 모두 업그레이드 하자. 그럼 6.2.6에서 6.2.9로 올라간다.
혹여 서버만 올릴 경우 ‘zabbix-server-*’만 올려도 되긴 하지만, 그래도 설치된 패키지 모두를 올리는 방식이 편해서 이 방법을 선택한다.
[shjo@test-zabbix ~]$ sudo dnf upgrade 'zabbix-*'
Last metadata expiration check: 0:00:57 ago on Wed 17 Jan 2024 05:46:09 PM KST.
Dependencies resolved.
==========================================================================================================================================================================================
Package Architecture Version Repository Size
==========================================================================================================================================================================================
Upgrading:
zabbix-agent x86_64 6.2.9-release1.el8 zabbix 561 k
zabbix-get x86_64 6.2.9-release1.el8 zabbix 393 k
zabbix-java-gateway x86_64 6.2.9-release1.el8 zabbix 971 k
zabbix-nginx-conf noarch 6.2.9-release1.el8 zabbix 25 k
zabbix-sender x86_64 6.2.9-release1.el8 zabbix 436 k
zabbix-sql-scripts noarch 6.2.9-release1.el8 zabbix 7.3 M
zabbix-web noarch 6.2.9-release1.el8 zabbix 8.2 M
zabbix-web-deps noarch 6.2.9-release1.el8 zabbix 25 k
zabbix-web-mysql noarch 6.2.9-release1.el8 zabbix 24 k
Transaction Summary
==========================================================================================================================================================================================
Upgrade 9 Packages
Total download size: 18 M
Is this ok [y/N]: y
Downloading Packages:
(1/9): zabbix-get-6.2.9-release1.el8.x86_64.rpm 355 kB/s | 393 kB 00:01
(2/9): zabbix-nginx-conf-6.2.9-release1.el8.noarch.rpm 187 kB/s | 25 kB 00:00
(3/9): zabbix-agent-6.2.9-release1.el8.x86_64.rpm 436 kB/s | 561 kB 00:01
.......
Verifying : zabbix-web-deps-6.2.4-release1.el8.noarch 16/18
Verifying : zabbix-web-mysql-6.2.9-release1.el8.noarch 17/18
Verifying : zabbix-web-mysql-6.2.4-release1.el8.noarch 18/18
Upgraded:
zabbix-agent-6.2.9-release1.el8.x86_64 zabbix-get-6.2.9-release1.el8.x86_64 zabbix-java-gateway-6.2.9-release1.el8.x86_64 zabbix-nginx-conf-6.2.9-release1.el8.noarch
zabbix-sender-6.2.9-release1.el8.x86_64 zabbix-sql-scripts-6.2.9-release1.el8.noarch zabbix-web-6.2.9-release1.el8.noarch zabbix-web-deps-6.2.9-release1.el8.noarch
zabbix-web-mysql-6.2.9-release1.el8.noarch
Complete!03-4.관련된 서비스 재시작
[shjo@test-zabbix ~]$ sudo systemctl restart zabbix-server
[shjo@test-zabbix ~]$ sudo systemctl restart php-fpm
[shjo@test-zabbix ~]$ sudo systemctl restart nginx
[shjo@test-zabbix ~]$ sudo systemctl restart zabbix-agent04. 결과 확인
먼저 버전을 확인하자.
root 옵션을 확인하면 /usr/share/zabbix에 zabbix 웹이 구성된 것을 확인할 수 있다.
[shjo@test-zabbix nginx]$ sudo vi /etc/nginx/conf.d/zabbix.conf
server {
# listen 8080;
# server_name example.com;
root /usr/share/zabbix; # <---------- 이거 확인
index index.php;
location = /favicon.ico {
log_not_found off;
}그리고 /usr/share/zabbix 경로에 phpinfo.php 파일을 만들자
코드는 phpinfo()를 호출하기만 하면되서 간단하다.
- 버전이 노출되는건 심각한 보안 취약점이니 확인 후 반드시 phpinfo 파일을 삭제하자.
[shjo@test-zabbix nginx]$ sudo vi /usr/share/zabbix/phpinfo.php
<?php
phpinfo();
?>