PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4338 Zabbix CVE debrief

CVE-2016-4338 is a high-severity injection flaw in Zabbix agent's mysql user parameter configuration script. In affected deployments, using userparameter_mysql.conf with a shell other than bash can allow abuse of the mysql.size parameter to execute arbitrary code or SQL commands. The issue is rated 8.1 HIGH in the supplied NVD record, so Zabbix installations that use this script should be prioritized for upgrade and configuration review.

Vendor
Zabbix
Product
CVE-2016-4338
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

Zabbix administrators, infrastructure teams running Zabbix agents, and security teams responsible for Linux or Unix monitoring hosts that use the mysql user parameter script.

Technical summary

The flaw is described as a context-dependent injection issue in userparameter_mysql.conf for the Zabbix agent. When the mysql user parameter is used with a shell other than bash, the mysql.size parameter can be handled unsafely, creating a path to arbitrary code execution or SQL command execution. NVD classifies the weakness as CWE-89 and rates it CVSS v3.0 8.1 HIGH (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). The affected releases listed in the CVE description are Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3.

Defensive priority

High. Upgrade or remediate any exposed or widely deployed Zabbix agents using the mysql user parameter script, especially where the agent shell is not bash. Because the flaw can lead to code or SQL execution, it should be handled as a priority configuration and patching issue.

Recommended defensive actions

  • Upgrade Zabbix to a fixed release: 2.0.18 or later, 2.2.13 or later, or 3.0.3 or later, depending on the branch in use.
  • Inventory hosts that use userparameter_mysql.conf and confirm whether the mysql.size parameter is enabled or reachable in your environment.
  • Review agent shell configuration and eliminate the non-bash condition described in the CVE where possible, but do not treat configuration changes as a substitute for upgrading.
  • If the mysql user parameter is not required, disable or remove it to reduce exposure.
  • Validate affected hosts for unexpected command execution or SQL changes as part of incident-response hygiene after remediation.
  • Prefer vendor and distribution advisories linked to this issue when planning patch windows and change control.

Evidence notes

The debrief is based on the supplied CVE description, the official NVD record, and vendor-linked references in the corpus. The record states the issue affects Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, and classifies it as CWE-89 with CVSS v3.0 8.1 HIGH. The supplied source metadata also includes vendor advisory references for the Zabbix fixes and third-party exploit/advisory links, but this summary uses them only as corroborating context, not as primary remediation guidance.

Official resources

Publicly disclosed in the CVE record on 2017-01-23. The supplied NVD references point to vendor-linked fix information and several third-party advisories/exploit write-ups. No CISA KEV entry is indicated in the supplied data.