Security Center: Difference between revisions

mNo edit summary
No edit summary
 
(98 intermediate revisions by 7 users not shown)
Line 3: Line 3:
<div class="col-md-8">
<div class="col-md-8">
     <h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2>
     <h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2>
    <p>
<h3>How to stay informed about security announcements?</h3>
You could manually check this page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
And/or subscribe to the these RSS feeds (you can use Zimbra Classic UI or some other feedreader like r2e on Linux):
<ul>
<li>https://wiki.zimbra.com/security-advisory-feed.php (no details, can be used for security notification purposes)</li>
<li>https://blog.zimbra.com/feed/ (includes patches and security news with details and other news)</li>
</ul>
And subscribe to the Zeta Alliance mailing lists:
https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org
<br><br>
</p>
   
     <div class="col-md-12">
     <div class="col-md-12">
         <div class="ibox-content">
         <div class="ibox-content">
<!-- 10.0.6 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 10.0.6 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.6#Security_Fixes 10.0.6]
was released on Mon Dec 18 2023. The release includes security fixes for: <ul>
<li>OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-21930 CVE-2023-21930] [https://nvd.nist.gov/vuln/detail/CVE-2022-21476 CVE-2022-21476] [https://nvd.nist.gov/vuln/detail/CVE-2022-21449 CVE-2022-21449]</li>
<li>Fixed a vulnerability where an auth token was possible to be obtained. [https://nvd.nist.gov/vuln/detail/CVE-2023-48432 CVE-2023-48432]</li>
<li>Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD</li>
<li>Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Mon Dec 18 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 38 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 38 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P38#Security_Fixes 9.0.0 Patch 38]
was released on Mon Dec 18 2023. The release includes security fixes for: <ul>
                    <li>OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-21930 CVE-2023-21930] [https://nvd.nist.gov/vuln/detail/CVE-2022-21476 CVE-2022-21476] [https://nvd.nist.gov/vuln/detail/CVE-2022-21449 CVE-2022-21449]</li>
<li>Fixed a vulnerability where an auth token was possible to be obtained. [https://nvd.nist.gov/vuln/detail/CVE-2023-48432 CVE-2023-48432]</li>
<li>Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD</li>
<li>Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Mon Dec 18 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 45 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 45 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P45#Security_Fixes 8.8.15 Patch 45]
was released on Mon Dec 18 2023. The release includes security fixes for: <ul>
                    <li>OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-21930 CVE-2023-21930] [https://nvd.nist.gov/vuln/detail/CVE-2022-21476 CVE-2022-21476] [https://nvd.nist.gov/vuln/detail/CVE-2022-21449 CVE-2022-21449]</li>
<li>Fixed a vulnerability where an auth token was possible to be obtained. [https://nvd.nist.gov/vuln/detail/CVE-2023-48432 CVE-2023-48432]</li>
<li>Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Mon Dec 18 2023</p>
</div>
</div>
</div>
</div>
<!-- 10.0.5 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 10.0.5 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.5#Security_Fixes 10.0.5]
was released on Thu Oct 19 2023. The release includes security fixes for: <ul>
<li>A security related issue has been fixed to prevent javascript injection through help files. [https://nvd.nist.gov/vuln/detail/CVE-2007-1280 CVE-2007-1280]</li>
<li>A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. [https://nvd.nist.gov/vuln/detail/CVE-2020-7746 CVE-2020-7746]</li>
<li>An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. [https://nvd.nist.gov/vuln/detail/CVE-2023-45207 CVE-2023-45207]</li>
<li>Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. [https://nvd.nist.gov/vuln/detail/CVE-2023-45206 CVE-2023-45206]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Thu Oct 19 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 37 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 37 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P37#Security_Fixes 9.0.0 Patch 37]
was released on Thu Oct 19 2023. The release includes security fixes for: <ul>
                    <li>A security related issue has been fixed to prevent javascript injection through help files. [https://nvd.nist.gov/vuln/detail/CVE-2007-1280 CVE-2007-1280]</li>
<li>A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. [https://nvd.nist.gov/vuln/detail/CVE-2020-7746 CVE-2020-7746]</li>
<li>An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. [https://nvd.nist.gov/vuln/detail/CVE-2023-45207 CVE-2023-45207]</li>
<li>Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. [https://nvd.nist.gov/vuln/detail/CVE-2023-45206 CVE-2023-45206]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Thu Oct 19 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 44 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 44 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P44#Security_Fixes 8.8.15 Patch 44]
was released on Thu Oct 19 2023. The release includes security fixes for: <ul>
                    <li>A security related issue has been fixed to prevent javascript injection through help files.[https://nvd.nist.gov/vuln/detail/CVE-2007-1280 CVE-2007-1280]</li>
<li>A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. [https://nvd.nist.gov/vuln/detail/CVE-2020-7746 CVE-2020-7746]</li>
<li>An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. [https://nvd.nist.gov/vuln/detail/CVE-2023-45207 CVE-2023-45207]</li>
<li>Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. [https://nvd.nist.gov/vuln/detail/CVE-2023-45206 CVE-2023-45206]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Thu Oct 19 2023</p>
</div>
</div>
</div>
</div>
<!-- 10.0.4 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 10.0.4 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.4#Security_Fixes 10.0.4]
was released on Wed Sep 13 2023. The release includes security fixes for: <ul>
<li>XSS on one of the web endpoint via non sanitised input parameter. [https://nvd.nist.gov/vuln/detail/CVE-2023-43103 CVE-2023-43103]</li>
<li>An attacker can gain access of logged-in user’s mailbox through XSS. [https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Sep 13 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 36 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 36 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P36#Security_Fixes 9.0.0 Patch 36]
was released on Wed Sep 13 2023. The release includes security fixes for: <ul>
                        <li>XSS on one of the web endpoint via non sanitised input parameter. [https://nvd.nist.gov/vuln/detail/CVE-2023-43103 CVE-2023-43103]</li>
<li>An attacker can gain access of logged-in user’s mailbox through XSS. [https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Sep 13 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 43 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 43 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P43#Security_Fixes 8.8.15 Patch 43]
was released on Wed Sep 13 2023. The release includes security fixes for: <ul>
                        <li>XSS on one of the web endpoint via non sanitised input parameter. [https://nvd.nist.gov/vuln/detail/CVE-2023-43103 CVE-2023-43103]</li>
<li>An attacker can gain access of logged-in user’s mailbox through XSS. [https://nvd.nist.gov/vuln/detail/CVE-2023-43102 CVE-2023-43102]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Sep 13 2023</p>
</div>
</div>
</div>
</div>
<!-- 10.0.3 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 10.0.3 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.3#Security_Fixes 10.0.3]
was released on Wed Aug 23 2023. The release includes security fixes for: <ul>
<li>Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. [https://nvd.nist.gov/vuln/detail/CVE-2023-41106 CVE-2023-41106]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Aug 23 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 35 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 35 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P35#Security_Fixes 9.0.0 Patch 35]
was released on Wed Aug 23 2023. The release includes security fixes for: <ul>
                    <li>Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. [https://nvd.nist.gov/vuln/detail/CVE-2023-41106 CVE-2023-41106]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Aug 23 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 42 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 42 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P42#Security_Fixes 8.8.15 Patch 42]
was released on Wed Aug 23 2023. The release includes security fixes for: <ul>
                    <li>Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. [https://nvd.nist.gov/vuln/detail/CVE-2023-41106 CVE-2023-41106]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Aug 23 2023</p>
</div>
</div>
</div>
</div>
<!-- 10.0.2 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 10.0.2 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.2#Security_Fixes 10.0.2]
was released on Wed Jul 26 2023. The release includes security fixes for: <ul>
<li>OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints [https://nvd.nist.gov/vuln/detail/CVE-2023-0464 CVE-2023-0464]</li>
<li>The Amavis package has been upgraded to 2.13.0 version. TBD</li>
<li>A bug that could lead to exposure of internal JSP and XML files has been fixed. [https://nvd.nist.gov/vuln/detail/CVE-2023-38750 CVE-2023-38750]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Jul 26 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 34 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 34 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P34#Security_Fixes 9.0.0 Patch 34]
was released on Wed Jul 26 2023. The release includes security fixes for: <ul>
<li>OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints [https://nvd.nist.gov/vuln/detail/CVE-2023-0464 CVE-2023-0464]</li>
<li>The Amavis package has been upgraded to 2.13.0 version. TBD</li>
<li>A bug that could lead to exposure of internal JSP and XML files has been fixed. [https://nvd.nist.gov/vuln/detail/CVE-2023-38750 CVE-2023-38750]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Jul 26 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 41 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 41 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P41#Security_Fixes 8.8.15 Patch 41]
was released on Wed Jul 26 2023. The release includes security fixes for: <ul>
<li>A cross-site scripting (XSS) vulnerability that was present in the in the Zimbra Classic Web Client has been addressed. [https://nvd.nist.gov/vuln/detail/CVE-2023-37580 CVE-2023-37580]</li>
<li>OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints [https://nvd.nist.gov/vuln/detail/CVE-2023-0464 CVE-2023-0464]</li>
<li>The Amavis package has been upgraded to 2.13.0 version. TBD</li>
<li>A bug that could lead to exposure of internal JSP and XML files has been fixed. [https://nvd.nist.gov/vuln/detail/CVE-2023-38750 CVE-2023-38750]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Wed Jul 26 2023</p>
</div>
</div>
</div>
</div>
<!-- 10.0.1 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">Daffodil 10.0.1 Released</h4>
<div class="row">
<p class="text-justify"> Daffodil [https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.1#Security_Fixes 10.0.1]
was released on Tue May 30 2023. The release includes security fixes for: <ul>
<li>As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package [https://nvd.nist.gov/vuln/detail/CVE-2023-34193 CVE-2023-34193]</li>
<li>The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690]</li>
<li>Remove unused JSP file which may bypass the Preauth verification [https://nvd.nist.gov/vuln/detail/CVE-2023-29382 CVE-2023-29382]</li>
<li>The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2022-46364 CVE-2022-46364]</li>
<li>The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22970 CVE-2022-22970]</li>
<li>Added additional validations for 2FA login. [https://nvd.nist.gov/vuln/detail/CVE-2023-29381 CVE-2023-29381]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Tue May 30 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 33 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 9.0.0 Patch 33 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P33#Security_Fixes 9.0.0 Patch 33]
was released on Tue May 30 2023. The release includes security fixes for: <ul>
<li>As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package [https://nvd.nist.gov/vuln/detail/CVE-2023-34193 CVE-2023-34193]</li>
<li>The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690]</li>
<li>Remove unused JSP file which may bypass the Preauth verification [https://nvd.nist.gov/vuln/detail/CVE-2023-29382 CVE-2023-29382]</li>
<li>The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2022-46364 CVE-2022-46364]</li>
<li>The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22970 CVE-2022-22970]</li>
<li>Added additional validations for 2FA login. [https://nvd.nist.gov/vuln/detail/CVE-2023-29381 CVE-2023-29381]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Tue May 30 2023</p>
</div>
</div>
</div>
</div>
<!-- 8.8.15 Patch 40 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
<div class="panel panel-default">
<div class="panel-body">
<h4 class="post-title">ZCS 8.8.15 Patch 40 Released</h4>
<div class="row">
<p class="text-justify"> ZCS [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P40#Security_Fixes 8.8.15 Patch 40]
was released on Tue May 30 2023. The release includes security fixes for: <ul>
<li>A possible Cross-site Scripting (XSS) security vulnerability has been fixed [https://nvd.nist.gov/vuln/detail/CVE-2023-34192 CVE-2023-34192]</li>
<li>As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package [https://nvd.nist.gov/vuln/detail/CVE-2023-34193 CVE-2023-34193]</li>
<li>The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2023-25690 CVE-2023-25690]</li>
<li>Remove unused JSP file which may bypass the Preauth verification [https://nvd.nist.gov/vuln/detail/CVE-2023-29382 CVE-2023-29382]</li>
<li>The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2022-46364 CVE-2022-46364]</li>
<li>The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2022-22970 CVE-2022-22970 CVE-2022-22970]</li>
<li>Added additional validations for 2FA login. [https://nvd.nist.gov/vuln/detail/CVE-2023-29381 CVE-2023-29381]</li>
</ul></p>
</div>
</div>
<div class="col-md-12">
<div class="panel-footer" align="right">
<p><i class="fa fa-calendar"></i>Tue May 30 2023</p>
</div>
</div>
</div>
</div>
<!-- 9.0.0 Patch 31 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
    <div class="panel panel-default">
        <div class="panel-body">
            <h4 class="post-title">ZCS 9.0.0 Patch 31 Released</h4>
            <div class="row">
                <p class="text-justify"> ZCS 9.0.0 [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P31#Security_Fixes Patch 31] was released on March 2, 2023. The release includes security fixes for:
                    <ul>
                        <li>The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-20032 CVE-2023-20032]</li>
                    </ul>
                </p>
            </div>
        </div>
        <div class="col-md-12">
            <div class="panel-footer" align="right">
                <p><i class="fa fa-calendar"></i>March 2, 2023</p>
            </div>
        </div>
    </div>
</div>
<!-- 8.8.15 Patch 38 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 38 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P38#Security_Fixes Patch 38]
was released on March 2, 2023. The release includes security fixes for:
<ul>
                        <li>The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-20032 CVE-2023-20032]</li>
                    </ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>March 2, 2023</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 30 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
    <div class="panel panel-default">
        <div class="panel-body">
            <h4 class="post-title">ZCS 9.0.0 Patch 30 Released</h4>
            <div class="row">
                <p class="text-justify"> ZCS 9.0.0 [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P30#Security_Fixes Patch 30] was released on February 21, 2023. The release includes security fixes for:
                    <ul>
                        <li>Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. [https://nvd.nist.gov/vuln/detail/CVE-2023-24031 CVE-2023-24031]</li>
                        <li>The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-0286 CVE-2023-0286]</li>
                        <li>Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-24030 CVE-2023-24030] </li>
<li>Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. [https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-26562]</li>
<li> Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. [https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-24032] </li>
<li>The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-25032 CVE-2018-25032]</li>
                    </ul>
                </p>
            </div>
        </div>
        <div class="col-md-12">
            <div class="panel-footer" align="right">
                <p><i class="fa fa-calendar"></i>February 21, 2023</p>
            </div>
        </div>
    </div>
</div>
<!-- 8.8.15 Patch 37 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 37 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P37#Security_Fixes Patch 37]
was released on February 21, 2023. The release includes security fixes for:
<ul>
                        <li>The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-0286 CVE-2023-0286]</li>
<li> Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2023-24030 CVE-2023-24030]</li>
<li>Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. [https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-26562]</li>
<li>Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. [https://nvd.nist.gov/vuln/detail/CVE-2023-24032 CVE-2023-24032] </li>
<li>The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2018-25032 CVE-2018-25032]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>February 21, 2023</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 28 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
    <div class="panel panel-default">
        <div class="panel-body">
            <h4 class="post-title">ZCS 9.0.0 Patch 28 Released</h4>
            <div class="row">
                <p class="text-justify"> ZCS 9.0.0 [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P28#Security_Fixes Patch 28] was released on November 21, 2022. The release includes security fixes for:
                    <ul>
                        <li>XSS can occur in Classic UI login page by injecting arbitrary javascript code. [https://nvd.nist.gov/vuln/detail/CVE-2022-45911 CVE-2022-45911]</li>
                        <li>RCE through ClientUploader from authenticated admin user. [https://nvd.nist.gov/vuln/detail/CVE-2022-45912 CVE-2022-45912]</li>
                        <li>XSS can occur via one of attribute in webmail urls, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-45913 CVE-2022-45913]</li>
                        <li>The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2022-26377 CVE-2022-26377] .</li>
                        <li>The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2022-20770 CVE-2022-20770] [https://nvd.nist.gov/vuln/detail/CVE-2022-20771 CVE-2022-20771]</li>
                        <li>YUI dependency is removed from WebClient and Admin Console.</li>
                    </ul>
                </p>
            </div>
        </div>
        <div class="col-md-12">
            <div class="panel-footer" align="right">
                <p><i class="fa fa-calendar"></i>November 21, 2022</p>
            </div>
        </div>
    </div>
</div>
<!-- 8.8.15 Patch 35 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 35 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P35#Security_Fixes Patch 35]
was released on November 21, 2022. The release includes security fixes for:
<ul>
<li>RCE through ClientUploader from authenticated admin user. [https://nvd.nist.gov/vuln/detail/CVE-2022-45912 CVE-2022-45912]</li>
<li>XSS can occur via one of attribute in webmail urls, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-45913 CVE-2022-45913]</li>
<li>The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2022-26377 CVE-2022-26377].</li>
<li>The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2022-20770 CVE-2022-20770] [https://nvd.nist.gov/vuln/detail/CVE-2022-20771 CVE-2022-20771]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>November 21, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 27 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
    <div class="panel panel-default">
        <div class="panel-body">
            <h4 class="post-title">ZCS 9.0.0 Patch 27 Released</h4>
            <div class="row">
                <p class="text-justify"> ZCS 9.0.0 [https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes Patch 27] was released on October 11, 2022. The release includes security fixes for:
                    <ul>
                        <li>An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. [https://nvd.nist.gov/vuln/detail/CVE-2022-41352 CVE-2022-41352].</li>
                        <li>Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. [https://nvd.nist.gov/vuln/detail/CVE-2022-37393 CVE-2022-37393]</li>
                        <li>XSS can occur via one of the attribute of an IMG element, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-41348 CVE-2022-41348]</li>
                    </ul>
                </p>
            </div>
        </div>
        <div class="col-md-12">
            <div class="panel-footer" align="right">
                <p><i class="fa fa-calendar"></i>October 11, 2022</p>
            </div>
        </div>
    </div>
</div>
<!-- 8.8.15 Patch 34 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 34 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34#Security_Fixes Patch 34]
was released on October 11, 2022. The release includes security fixes for:
<ul>
<li>An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. [https://nvd.nist.gov/vuln/detail/CVE-2022-41352 CVE-2022-41352].</li>
<li>Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. [https://nvd.nist.gov/vuln/detail/CVE-2022-37393 CVE-2022-37393].</li>
<li>XSS can occur via one of attribute in search component of webmail, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-41350 CVE-2022-41350]</li>
<li>XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-41349 CVE-2022-41349]</li>
<li>XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. [https://nvd.nist.gov/vuln/detail/CVE-2022-41351 CVE-2022-41351]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>October 11, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 26 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 26 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P26#Security_Fixes Patch 26]
was released on July 28, 2022. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites. [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068].</li>
<li>Authentication Bypass in MailboxImportServlet. [https://nvd.nist.gov/vuln/detail/CVE-2022-37042 CVE-2022-37042]</li>
<li>Proxy Servlet SSRF Vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2022-37041 CVE-2022-37041]</li>
<li>Cyrus SASL package has been upgraded to version 2.1.28. [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</li>
<li>When using preauth, CSRF tokens are not checked on some post endpoints. [https://nvd.nist.gov/vuln/detail/CVE-2022-37043 CVE-2022-37043]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>July 28, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 33 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 33 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P33#Security_Fixes Patch 33]
was released on July 28, 2022. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites. [https://nvd.nist.gov/vuln/detail/CVE-2022-2068 CVE-2022-2068].</li>
<li>RXSS on '/h/search' via title parameter. [https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044].</li>
<li>RXSS on '/h/search' via onload parameter. [https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</li>
<li>RXSS on '/h/search' via extra parameter. [https://nvd.nist.gov/vuln/detail/CVE-2022-37044 CVE-2022-37044]</li>
<li>Authentication Bypass in MailboxImportServlet. [https://nvd.nist.gov/vuln/detail/CVE-2022-37042 CVE-2022-37042]</li>
<li>Proxy Servlet SSRF Vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2022-37041 CVE-2022-37041]</li>
<li>Cyrus SASL package has been upgraded to version 2.1.28. [https://nvd.nist.gov/vuln/detail/CVE-2022-24407 CVE-2022-24407]</li>
<li>When using preauth, CSRF tokens are not checked on some post endpoints. [https://nvd.nist.gov/vuln/detail/CVE-2022-37043 CVE-2022-37043]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>July 28, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 25 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 25 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25#Security_Fixes Patch 25]
was released on June 14, 2022. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778].</li>
<li>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165].</li>
<li>Upgraded mina-core to version 2.1.6. [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</li>
<li>Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>June 14, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 32 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 32 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32#Security_Fixes Patch 32]
was released on June 14, 2022. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. [https://access.redhat.com/security/cve/cve-2022-0778 CVE-2022-0778].</li>
<li>Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. [https://nvd.nist.gov/vuln/detail/CVE-2021-28165 CVE-2021-28165].</li>
<li>Upgraded mina-core to version 2.1.6. [https://nvd.nist.gov/vuln/detail/CVE-2019-0231 CVE-2019-0231]</li>
<li>Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>June 14, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 24.1 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 24.1 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes Patch 24.1]
was released on May 10, 2022. The release includes security fixes for:
<ul>
<li>Memcached poisoning with unauthenticated request.[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i>May 10, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 31.1 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 31.1 Released</h4>
                        <div class="row">
                            <p class="text-justify">ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31.1#Security_Fixes Patch 31.1]
was released on May 10, 2022. The release includes security fixes for:
<ul>
<li>Memcached poisoning with unauthenticated request.[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> May 10, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 24 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 24 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24#Security_Fixes Patch 24]
was released on March 30, 2022. The release includes security fixes for:
<ul>
<li>Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-40438 CVE-2021-40438][https://nvd.nist.gov/vuln/detail/CVE-2021-39275 CVE-2021-39275].</li>
<li>Upgraded PHP to 7.4.27 to avoid DoS vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2021-21702 CVE-2021-21702]</li>
<li>RCE through mboximport from authenticated user. [https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</li>
<li>Memcached poisoning with unauthenticated request.[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]
</ul>
Spring4Shell security hotfix was released in Patch 24 on April 21, 2022:
<ul>
<li>RCE vulnerability in Spring Framework . [https://nvd.nist.gov/vuln/detail/CVE-2022-22965 CVE-2022-22965].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> March 30, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 31 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 31 Released</h4>
                        <div class="row">
                            <p class="text-justify">ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31#Security_Fixes Patch 31]
was released on March 30, 2022. The release includes security fixes for:
<ul>
<li>Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-40438 CVE-2021-40438][https://nvd.nist.gov/vuln/detail/CVE-2021-39275 CVE-2021-39275].</li>
<li>Upgraded PHP to 7.4.27 to avoid DoS vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2021-21702 CVE-2021-21702]</li>
<li>An endpoint URL accepts parameters without sanitizing it caused XSS vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2022-27926 CVE-2022-27926] </li>
<li>RCE through mboximport from authenticated user. [https://nvd.nist.gov/vuln/detail/CVE-2022-27925 CVE-2022-27925]</li>
<li>Memcached poisoning with unauthenticated request.[https://nvd.nist.gov/vuln/detail/CVE-2022-27924 CVE-2022-27924]
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> March 30, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 30 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 30 Security Hotfix Released</h4>
                        <div class="row">
                            <p class="text-justify">A Security Hotfix for ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30#Security_Hotfix_Alert Patch 30]
was released on February 05, 2022. The hotfix release includes security fix for:
<ul>
<li>Zero-day XSS Vulnerability. [https://nvd.nist.gov/vuln/detail/CVE-2022-24682 CVE-2022-24682].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> February 05, 2022</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 21 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 21 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P21#Security_Fixes Patch 21]
was released on November 22, 2021. The release includes security fixes for:
<ul>
<li>Upgraded Apache to 2.4.51 to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-30641 CVE-2021-30641] [https://nvd.nist.gov/vuln/detail/CVE-2020-35452 CVE-2020-35452].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> November 22, 2021</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 28 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 28 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P28#Security_Fixes Patch 28]
was released on November 22, 2021. The release includes security fixes for:
<ul>
<li>Upgraded Apache to 2.4.51 to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-30641 CVE-2021-30641] [https://nvd.nist.gov/vuln/detail/CVE-2020-35452 CVE-2020-35452].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> November 22, 2021</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 20 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 20 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P20#Security_Fixes Patch 20]
was released on October 25, 2021. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1l to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-3711 CVE-2021-3711] [https://nvd.nist.gov/vuln/detail/CVE-2021-3712 CVE-2021-3712].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> October 25, 2021</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 27 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 27 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P27#Security_Fixes Patch 27]
was released on October 25, 2021. The release includes security fixes for:
<ul>
<li>Upgraded OpenSSL to 1.1.1l to avoid multiple vulnerabilities. [https://nvd.nist.gov/vuln/detail/CVE-2021-3711 CVE-2021-3711] [https://nvd.nist.gov/vuln/detail/CVE-2021-3712 CVE-2021-3712].</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> October 25, 2021</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 16 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 16 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P16#Security_Fixes Patch 16]
was released on July 28, 2021. The release includes security fixes for:
<ul>
<li>Proxy Servlet Open Redirect Vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2021-35209 CVE-2021-35209].</li>
<li>Open Redirect Vulnerability in preauth servlet [https://nvd.nist.gov/vuln/detail/CVE-2021-34807 CVE-2021-34807]</li>
<li>Stored XSS Vulnerability in ZmMailMsgView.java [https://nvd.nist.gov/vuln/detail/CVE-2021-35208 CVE-2021-35208]</li>
<li>XSS vulnerability in Zimbra Web Client via loginErrorCode [https://nvd.nist.gov/vuln/detail/CVE-2021-35207 CVE-2021-35207]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> July 28, 2021</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 10 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 10 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P10#Security_Fixes Patch 10]
was released on December 16, 2020. The release includes security fixes for:
<ul>
<li>Resolved XXE vulnerability ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) in saml consumer store extension (Network Edition) [https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> December 16, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 8.8.15 Patch 17 -->
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 17 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 8.8.15
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17#Security_Fixes Patch 17]
was released on December 16, 2020. The release includes security fixes for:
<ul>
<li>Resolved XXE vulnerability  ([https://cwe.mitre.org/data/definitions/776.html CWE-776]) in saml consumer store extension (Network Edition) [https://nvd.nist.gov/vuln/detail/CVE-2020-35123 CVE-2020-35123]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> December 16, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 5 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 5 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P5#Security_Fixes Patch 5]
was released on July 27, 2020. The release includes security fixes for:
<ul>
<li>Upgrade for tinymce to 5.4.0, to resolve XSS vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2019-1010091 CVE-2019-1010091]</li>
<li>Upgrade nodejs library [https://github.com/sindresorhus/mem mem] to 4.3.0 to resolve memory leak [https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0236 WS-2018-0236]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> July 27, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
<!-- 9.0.0 Patch 4 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 4 and ZCS 8.8.15 Patch 11 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P4#Security_Fixes Patch 4] and
ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P11 Patch 11]
were released on July 2, 2020. The release includes security fixes for:
<ul>
<li> XSS Vulnerability in [https://nvd.nist.gov/vuln/detail/CVE-2020-13653 CVE-2020-13653]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> July 2, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
        <!-- 9.0.0 Patch 3 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 3 and ZCS 8.8.15 Patch 10 Released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS 9.0.0
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3#Security_Fixes Patch 3] and
ZCS 8.8.15 [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10 Patch 10]
were released on June 3, 2020. The release includes security fixes for:
<ul>
<li> Potential upload of dangerous file type in upload servlet [https://nvd.nist.gov/vuln/detail/CVE-2020-12846 CVE-2020-12846]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> June 3, 2020</p>
                        </div>
                    </div>
                </div>
            </div>             
        <!-- 9.0.0 Patch 2 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 9.0.0 Patch 2 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P2#Security_Fixes Patch 2]
was released on May 4, 2020. The release includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2020-11737 CVE-2020-1931], XSS through malicious JS embedded in Mail Message or Calendar Event</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> May 4, 2020</p>
                        </div>
                    </div>
                </div>
            </div>         
          <!-- 8.8.15 P9 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 9 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P9#Security_Fixes Patch 9]
was released on April 23, 2020. The release includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2020-1930 CVE-2020-1930], [https://nvd.nist.gov/vuln/detail/CVE-2020-1931 CVE-2020-1931] - Upgraded 3rd Party Apache SpamAssassin from version 3.4.1 to 3.4.4.</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2020-3123 CVE-2020-3123] - Upgraded 3rd Party ClamAV from version 0.99.4 to 0.102.2.</li>
<li>[https://nvd.nist.gov/vuln/detail/CVE-2019-13565 CVE-2019-13565] - Upgraded 3rd Party Open LDAP from version 2.4.46 to 2.4.49.</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> April 23, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
          <!-- 8.8.15 P8 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 8 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P8#Security_Fixes Patch 8]
was released on March 9, 2020. The release includes security fixes for:
<ul>
<li> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10194 CVE-2020-10194] - any authenticated user could view a GAL contact from another domain on the same Zimbra installation. After this fix, AutoCompleteGal request does not allow access to GalSync accounts of other domains.</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> March 9, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
          <!-- 8.8.15 P7 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 7 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7#Security_Fixes Patch 7]
was released on Feb 10, 2020. The release includes security fixes for:
<ul>
<li> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8633 CVE-2020-8633] - Revoked share calendars are now being removed from OLK profile.</li>
<li> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7796 CVE-2020-7796] - Potential for SSRF if WebEx zimlet installed and zimlet JSP enabled.</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Feb 10, 2020</p>
                        </div>
                    </div>
                </div>
            </div>
          <!-- 8.8.15 P2 -->
          <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 2 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P2#Security_Fixes Patch 2]
was released on September 30, 2019. The release includes security fixes for:
<ul>
<li>Upgraded ClamAV to 0.101.4 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12625 CVE-2019-12625] / [https://bugzilla.clamav.net/show_bug.cgi?id=12356 Bug 12356]</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> September 30, 2019</p>
                        </div>
                    </div>
                </div>
            </div>         
            <!-- 8.8.15 P1 -->
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.15 Patch 1 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P1 8.8.15 Patch 1]
was released on August 28, 2019. The release includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-12427 CVE-2019-12427] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109174 Bug 109174] - Non-Persistent XSS - admin console ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-15313 CVE-2019-15313] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109141 Bug 109141] - Non-Persistent XSS - web client ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> September 6, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P11 8.7.11 Patch 11],
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P8 8.8.10 Patch 8] and
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P4 8.8.11 Patch 4]
were released on April 15, 2019. The releases includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li>
</ul>
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],
adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])
</li>
</ul>
                            </p>
                            <p class="text-justify">
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1 ZCS 8.8.12 Patch 1] was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109117 Bug 109117] - Persistent XSS - Drive ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> April 15, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.12 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]
was released on April 1, 2019 . The release includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li>
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4>
                        <div class="row">
                            <p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security.  In short:
<ul>
<li> ZCS 8.8 -  upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li>
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li>
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br />
      ↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li>
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li>
</ul>
                            </p>
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br />
                                  <i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])
</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br />
                                  <i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4>
                        <div class="row">
                            <p class="text-justify"> ZCS
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]
were released on March 4, 2019. The releases includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])
</li>
</ul>
                            </p>
                            <p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us.  His efforts are greatly appreciated!<br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br />
                                  <i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]
    was released February 1, 2019. The release includes security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])
</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client
  ([https://cwe.mitre.org/data/definitions/79.html CWE 79])
</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]
                            and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]
    were released January 4, 2019. The releases include security fixes for:
<ul>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])
</li>
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client
  ([https://cwe.mitre.org/data/definitions/79.html CWE 79])
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul>
</li>
</ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.11 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]
    was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]
    was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]
    were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]
    were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.10 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]
    was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.8 Patch9 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]
    was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]
    were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].
                            </p>
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]
    was released August 17, 2018. This includes fixes for 11 vulnerabilities.  See the release notes for details.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p>Updated:
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]
    were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]
    were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]
    were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.7.11 Patch1 released</h4>
                        <div class="row">
                            <p class="text-justify">
                            [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]
    was released March 14, 2018. This includes a fix for three XSS vulnerabilities,
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.8.7 released</h4>
                        <div class="row">
                            <p class="text-justify">
    [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].
                            </p>
                            <p class="text-justify">
    Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZCS 8.6.0 Patch9 released</h4>
                        <div class="row">
                            <p class="text-justify">
    [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].
                            </p>
                            <p class="text-justify">
    If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service).  Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">ZWC affected by Mailsploit</h4>
                        <div class="row">
                            <p class="text-justify">
    All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i>
                            </p>
                            <p class="text-justify">
    The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service.  As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                            <p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4>
                        <div class="row">
                            <p class="text-justify">
    The following vulnerabilities were fixed in ZCS 8.7.10:
    <ul>
    <li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li>
    <li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li>
    </ul>
                            </p>
                            <p class="text-justify">
                            Thank you to Stephan Kaag of Securify for reporting bug 107878!
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4>
                        <div class="row">
                            <p class="text-justify">
    The following vulnerabilities were fixed in ZCS 8.7.6:
    <ul>
    <li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li>
    <li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li>
    </ul>
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4>
                        <div class="row">
                            <p class="text-justify">
    A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4.  This issue affects all supported versions of ZCS before 8.7.4.
                            </p>
                            <p class="text-justify">
                            A special thanks to Alastair Gray for taking the time to report this issue!
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4>
                        <div class="row">
                            <p class="text-justify">
    The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.
                            </p>
                            <p class="text-justify">
    Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].
                            </p>
                            <p class="text-justify">
                            Thank you to Sysdream for your assistance and cooperation!
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">Ransomware targeting ZCS Servers</h4>
                        <div class="row">
                            <p class="text-justify">
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.
                            </p>
                            <p class="text-justify">
    At this point, no details have been provided about how any servers were compromised.  Without any details, the best advice we can give is:
                            </p>
    <ul>
    <li>Get (and stay) up to date on OS version and patches.</li>
    <li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li>
    <li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li>
    <li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li>
    </ul>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>
            <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
                <div class="panel panel-default">
                    <div class="panel-body">
                        <h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4>
                        <div class="row">
                            <p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).
                            <br />
                            </p>
                            <p class="text-justify">
                            We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].
                            <br />
                            </p>
                            <p class="text-justify">First, test that you are vulnerable with the following tool:<br />
                            https://filippo.io/CVE-2016-2107/
                            <br />
    </p>
    <ul>
    <li>Edit /opt/zimbra/.bash_profile
      - add the following to the end of user zimbra's .bash_profile (requires root privs):
      <br />
      <code>
      # workaround CVE-2016-2107<br />
      export OPENSSL_ia32cap="~0x200000200000000"
      </code>
    </li>
    <li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):
      <br />
      <code>
      Defaults env_keep += "OPENSSL_ia32cap"
      </code>
    </li>
    <li>Configure postfix - instructs postfix to honor the desired environment variable:
      <br />
      <code>
      $ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'
      </code>
      <br />
    </li>
    </ul>
                            <p class="text-justify">
                            A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround!  Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.
                            <br />
                            </p>
                        </div>
                    </div>
                    <div class="col-md-12">
                        <div class="panel-footer" align="right">
                            <p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p>
                        </div>
                    </div>
                </div>
            </div>


             <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
             <div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px">
Line 223: Line 2,127:
                             </ul>
                             </ul>
                             <p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p>
                             <p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p>
                             <p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference:<span class="Apple-converted-space">&nbsp;</span>[https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html">https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html]]. Please upgrade to a newer version first, then run this patch.</p>
                             <p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p>
                             <p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p>
                             <p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p>
                             <ul class="org-ul">
                             <ul class="org-ul">
Line 274: Line 2,178:
                         <h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4>
                         <h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4>
                         <div class="row">
                         <div class="row">
                             <p class="text-justify" style="padding-top:5px"><h3>Overview</h3>
                             <p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p>
                             <p>Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p>
                             <p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p>
                             <ul>
                             <ul>
                                 <li>http://heartbleed.com</li>
                                 <li>http://heartbleed.com</li>
Line 281: Line 2,185:
                                 <li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li>
                                 <li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li>
                             </ul>
                             </ul>
                             <p>Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference:  https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html, so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p>
                             <p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference:  https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p>
                             <ul>
                             <ul>
                                 <li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li>
                                 <li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li>
Line 393: Line 2,297:
                                 <li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li>
                                 <li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li>
                             </ul>
                             </ul>
                             <p>Bug 84547 is a newer Critical Security Vulnerability (Dec 2013) that has not had further details released (in order to protect other customers):</p>
                             <p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p>
                             <ul>
                             <ul>
                                 <li>Bug 84547: Critical Security Vulnerability</li>
                                 <li>Bug 84547: XXE (CWE-611)</li>
                                 <li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li>
                                 <li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li>
                                 <li>Affected Versions: 7.2.5 and 8.0.5 and all previous releases (except 7.1.4, 7.2.0, 7.2.0 Patch 1, and 7.2.1, which are not susceptible to Bug 84547)</li>
                                 <li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li>
                             </ul>
                             </ul>
                             <p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p>
                             <p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p>
Line 449: Line 2,353:
         <div class="panel-body">
         <div class="panel-body">
             <p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p>
             <p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p>
             <p>Go to our '''[[Security_Center|Zimbra Collaboration Security Center]]''' to stay updated on all Security-related news.</p>
             <p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p>
             <p>
             <p>
             <ul class="list-inline">
             <ul class="list-inline">
Line 458: Line 2,362:
             <li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li>
             <li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li>
             <li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li>
             <li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li>
            <li>[[Secopstips|<i class="fa fa-shield fa-flip-horizontal"></i> Secopstips]]</li>
            <li>[[Cipher_suites|<i class="fa fa-shield fa-flip-horizontal"></i> Strong TLS configuration]]</li>
             </ul>
             </ul>
             </p>
             </p>

Latest revision as of 09:16, 18 December 2023


Zimbra Security - News & Alerts

How to stay informed about security announcements?

You could manually check this page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

And/or subscribe to the these RSS feeds (you can use Zimbra Classic UI or some other feedreader like r2e on Linux):

And subscribe to the Zeta Alliance mailing lists: https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org

ZCS 10.0.6 Released

ZCS 10.0.6 was released on Mon Dec 18 2023. The release includes security fixes for:

  • OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
  • Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
  • Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD
  • Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD

ZCS 9.0.0 Patch 38 Released

ZCS 9.0.0 Patch 38 was released on Mon Dec 18 2023. The release includes security fixes for:

  • OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
  • Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
  • Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD
  • Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD

ZCS 8.8.15 Patch 45 Released

ZCS 8.8.15 Patch 45 was released on Mon Dec 18 2023. The release includes security fixes for:

  • OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
  • Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
  • Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD

ZCS 10.0.5 Released

ZCS 10.0.5 was released on Thu Oct 19 2023. The release includes security fixes for:

  • A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280
  • A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
  • An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
  • Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206

ZCS 9.0.0 Patch 37 Released

ZCS 9.0.0 Patch 37 was released on Thu Oct 19 2023. The release includes security fixes for:

  • A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280
  • A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
  • An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
  • Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206

ZCS 8.8.15 Patch 44 Released

ZCS 8.8.15 Patch 44 was released on Thu Oct 19 2023. The release includes security fixes for:

  • A security related issue has been fixed to prevent javascript injection through help files.CVE-2007-1280
  • A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
  • An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
  • Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206


ZCS 10.0.4 Released

ZCS 10.0.4 was released on Wed Sep 13 2023. The release includes security fixes for:

  • XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
  • An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102

ZCS 9.0.0 Patch 36 Released

ZCS 9.0.0 Patch 36 was released on Wed Sep 13 2023. The release includes security fixes for:

  • XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
  • An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102

ZCS 8.8.15 Patch 43 Released

ZCS 8.8.15 Patch 43 was released on Wed Sep 13 2023. The release includes security fixes for:

  • XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
  • An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102

ZCS 10.0.3 Released

ZCS 10.0.3 was released on Wed Aug 23 2023. The release includes security fixes for:

  • Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106

ZCS 9.0.0 Patch 35 Released

ZCS 9.0.0 Patch 35 was released on Wed Aug 23 2023. The release includes security fixes for:

  • Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106

ZCS 8.8.15 Patch 42 Released

ZCS 8.8.15 Patch 42 was released on Wed Aug 23 2023. The release includes security fixes for:

  • Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106

ZCS 10.0.2 Released

ZCS 10.0.2 was released on Wed Jul 26 2023. The release includes security fixes for:

  • OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
  • The Amavis package has been upgraded to 2.13.0 version. TBD
  • A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750

ZCS 9.0.0 Patch 34 Released

ZCS 9.0.0 Patch 34 was released on Wed Jul 26 2023. The release includes security fixes for:

  • OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
  • The Amavis package has been upgraded to 2.13.0 version. TBD
  • A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750

ZCS 8.8.15 Patch 41 Released

ZCS 8.8.15 Patch 41 was released on Wed Jul 26 2023. The release includes security fixes for:

  • A cross-site scripting (XSS) vulnerability that was present in the in the Zimbra Classic Web Client has been addressed. CVE-2023-37580
  • OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
  • The Amavis package has been upgraded to 2.13.0 version. TBD
  • A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750

Daffodil 10.0.1 Released

Daffodil 10.0.1 was released on Tue May 30 2023. The release includes security fixes for:

  • As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
  • The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
  • Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
  • The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
  • The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
  • Added additional validations for 2FA login. CVE-2023-29381

ZCS 9.0.0 Patch 33 Released

ZCS 9.0.0 Patch 33 was released on Tue May 30 2023. The release includes security fixes for:

  • As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
  • The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
  • Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
  • The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
  • The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
  • Added additional validations for 2FA login. CVE-2023-29381

ZCS 8.8.15 Patch 40 Released

ZCS 8.8.15 Patch 40 was released on Tue May 30 2023. The release includes security fixes for:

  • A possible Cross-site Scripting (XSS) security vulnerability has been fixed CVE-2023-34192
  • As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
  • The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
  • Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
  • The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
  • The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
  • Added additional validations for 2FA login. CVE-2023-29381

ZCS 9.0.0 Patch 31 Released

ZCS 9.0.0 Patch 31 was released on March 2, 2023. The release includes security fixes for:

  • The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. CVE-2023-20032

ZCS 8.8.15 Patch 38 Released

ZCS 8.8.15 Patch 38 was released on March 2, 2023. The release includes security fixes for:

  • The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. CVE-2023-20032

ZCS 9.0.0 Patch 30 Released

ZCS 9.0.0 Patch 30 was released on February 21, 2023. The release includes security fixes for:

  • Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. CVE-2023-24031
  • The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286
  • Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030
  • Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562
  • Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032
  • The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability CVE-2018-25032

ZCS 8.8.15 Patch 37 Released

ZCS 8.8.15 Patch 37 was released on February 21, 2023. The release includes security fixes for:

  • The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286
  • Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030
  • Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562
  • Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032
  • The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability. CVE-2018-25032

ZCS 9.0.0 Patch 28 Released

ZCS 9.0.0 Patch 28 was released on November 21, 2022. The release includes security fixes for:

  • XSS can occur in Classic UI login page by injecting arbitrary javascript code. CVE-2022-45911
  • RCE through ClientUploader from authenticated admin user. CVE-2022-45912
  • XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913
  • The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377 .
  • The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770 CVE-2022-20771
  • YUI dependency is removed from WebClient and Admin Console.

ZCS 8.8.15 Patch 35 Released

ZCS 8.8.15 Patch 35 was released on November 21, 2022. The release includes security fixes for:

  • RCE through ClientUploader from authenticated admin user. CVE-2022-45912
  • XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913
  • The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377.
  • The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770 CVE-2022-20771

ZCS 9.0.0 Patch 27 Released

ZCS 9.0.0 Patch 27 was released on October 11, 2022. The release includes security fixes for:

  • An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352.
  • Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393
  • XSS can occur via one of the attribute of an IMG element, leading to information disclosure. CVE-2022-41348

ZCS 8.8.15 Patch 34 Released

ZCS 8.8.15 Patch 34 was released on October 11, 2022. The release includes security fixes for:

  • An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352.
  • Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393.
  • XSS can occur via one of attribute in search component of webmail, leading to information disclosure. CVE-2022-41350
  • XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. CVE-2022-41349
  • XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. CVE-2022-41351

ZCS 9.0.0 Patch 26 Released

ZCS 9.0.0 Patch 26 was released on July 28, 2022. The release includes security fixes for:

  • Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites. CVE-2022-2068.
  • Authentication Bypass in MailboxImportServlet. CVE-2022-37042
  • Proxy Servlet SSRF Vulnerability. CVE-2022-37041
  • Cyrus SASL package has been upgraded to version 2.1.28. CVE-2022-24407
  • When using preauth, CSRF tokens are not checked on some post endpoints. CVE-2022-37043

ZCS 8.8.15 Patch 33 Released

ZCS 8.8.15 Patch 33 was released on July 28, 2022. The release includes security fixes for:

ZCS 9.0.0 Patch 25 Released

ZCS 9.0.0 Patch 25 was released on June 14, 2022. The release includes security fixes for:

  • Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778.
  • Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165.
  • Upgraded mina-core to version 2.1.6. CVE-2019-0231
  • Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]

ZCS 8.8.15 Patch 32 Released

ZCS 8.8.15 Patch 32 was released on June 14, 2022. The release includes security fixes for:

  • Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778.
  • Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165.
  • Upgraded mina-core to version 2.1.6. CVE-2019-0231
  • Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]

ZCS 9.0.0 Patch 24.1 Released

ZCS 9.0.0 Patch 24.1 was released on May 10, 2022. The release includes security fixes for:

ZCS 8.8.15 Patch 31.1 Released

ZCS 8.8.15 Patch 31.1 was released on May 10, 2022. The release includes security fixes for:

ZCS 9.0.0 Patch 24 Released

ZCS 9.0.0 Patch 24 was released on March 30, 2022. The release includes security fixes for:


Spring4Shell security hotfix was released in Patch 24 on April 21, 2022:

ZCS 8.8.15 Patch 31 Released

ZCS 8.8.15 Patch 31 was released on March 30, 2022. The release includes security fixes for:

ZCS 8.8.15 Patch 30 Security Hotfix Released

A Security Hotfix for ZCS 8.8.15 Patch 30 was released on February 05, 2022. The hotfix release includes security fix for:

ZCS 9.0.0 Patch 21 Released

ZCS 9.0.0 Patch 21 was released on November 22, 2021. The release includes security fixes for:

ZCS 8.8.15 Patch 28 Released

ZCS 8.8.15 Patch 28 was released on November 22, 2021. The release includes security fixes for:

ZCS 9.0.0 Patch 20 Released

ZCS 9.0.0 Patch 20 was released on October 25, 2021. The release includes security fixes for:

ZCS 8.8.15 Patch 27 Released

ZCS 8.8.15 Patch 27 was released on October 25, 2021. The release includes security fixes for:

ZCS 9.0.0 Patch 16 Released

ZCS 9.0.0 Patch 16 was released on July 28, 2021. The release includes security fixes for:

ZCS 9.0.0 Patch 10 Released

ZCS 9.0.0 Patch 10 was released on December 16, 2020. The release includes security fixes for:

ZCS 8.8.15 Patch 17 Released

ZCS 8.8.15 Patch 17 was released on December 16, 2020. The release includes security fixes for:

ZCS 9.0.0 Patch 5 Released

ZCS 9.0.0 Patch 5 was released on July 27, 2020. The release includes security fixes for:

ZCS 9.0.0 Patch 4 and ZCS 8.8.15 Patch 11 Released

ZCS 9.0.0 Patch 4 and ZCS 8.8.15 Patch 11 were released on July 2, 2020. The release includes security fixes for:

ZCS 9.0.0 Patch 3 and ZCS 8.8.15 Patch 10 Released

ZCS 9.0.0 Patch 3 and ZCS 8.8.15 Patch 10 were released on June 3, 2020. The release includes security fixes for:

  • Potential upload of dangerous file type in upload servlet CVE-2020-12846

ZCS 9.0.0 Patch 2 released

ZCS Patch 2 was released on May 4, 2020. The release includes security fixes for:

  • CVE-2020-1931, XSS through malicious JS embedded in Mail Message or Calendar Event

ZCS 8.8.15 Patch 9 released

ZCS Patch 9 was released on April 23, 2020. The release includes security fixes for:

ZCS 8.8.15 Patch 8 released

ZCS Patch 8 was released on March 9, 2020. The release includes security fixes for:

  • CVE-2020-10194 - any authenticated user could view a GAL contact from another domain on the same Zimbra installation. After this fix, AutoCompleteGal request does not allow access to GalSync accounts of other domains.

ZCS 8.8.15 Patch 7 released

ZCS Patch 7 was released on Feb 10, 2020. The release includes security fixes for:

  • CVE-2020-8633 - Revoked share calendars are now being removed from OLK profile.
  • CVE-2020-7796 - Potential for SSRF if WebEx zimlet installed and zimlet JSP enabled.

ZCS 8.8.15 Patch 2 released

ZCS Patch 2 was released on September 30, 2019. The release includes security fixes for:

ZCS 8.8.15 Patch 1 released

ZCS 8.8.15 Patch 1 was released on August 28, 2019. The release includes security fixes for:

ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released

ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8 and 8.8.11 Patch 4 were released on April 15, 2019. The releases includes security fixes for:

8.8.9 Patch 10, adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):

ZCS 8.8.12 Patch 1 was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:

ZCS 8.8.12 released

ZCS 8.8.12 was released on April 1, 2019 . The release includes security fixes for:

Recent Zimbra XXE / SSRF Vulnerability Disclosures

We published a blog post regarding recent Zimbra XXE / SSRF vulnerabilities disclosed by An Phuoc Trinh, of Viettel Cyber Security. In short:

  • ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
  • ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10
  • ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13
    ↳ Please plan to upgrade to a supported version as other security fixes have not been backported.
  • ZCS earlier versions - upgrade to a supported version as soon as possible!

See the blog post for a few additional details: Recent Zimbra XXE / SSRF Vulnerability Disclosure.

ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released

ZCS 8.7.11 Patch 10 was released on March 18, 2019 and 8.6.0 Patch 13 was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):

ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released

ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 were released on March 4, 2019. The releases includes security fixes for:

A special thanks to An Phuoc Trinh, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!
Please note, the rating has been upgraded to "major" as the original scoring did not cover all potential available attack vectors.

ZCS 8.7.11 Patch 8 released

ZCS 8.7.11 Patch 8 was released February 1, 2019. The release includes security fixes for:

ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released

ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5 and ZCS 8.8.11 Patch 1 were released January 4, 2019. The releases include security fixes for:

ZCS 8.8.11 released

ZCS 8.8.11 was released December 17, 2018. The release includes a fix for a non-persistent XSS CVE-2018-14013 / bug 109017 (CWE 79).

ZCS 8.8.9 Patch 7 released

ZCS 8.8.9 P7 was released November 6, 2018. The patch includes a fix for a persistent XSS CVE-2018-18631 / bug 109020 (CWE 79).

ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released

ZCS 8.8.10 P2 and ZCS 8.7.11 P7 were released October 29, 2018. Both patches include a fix for a persistent XSS CVE-2018-18631 / bug 109020 (CWE 79). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS CVE-2018-14013 / bug 109018 (CWE 79). Please note, there is a second non-persistent XSS (bug 109017), also part of CVE-2018-14013, which is not fixed in this patch set.

ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released

ZCS 8.8.10 P1 and ZCS 8.8.9 P6 were released October 17, 2018. They include a fix for a non-persistent XSS CVE-2018-14013 / bug 109018 (CWE 79). Please note, there is a second non-persistent XSS (bug 109017), also part of CVE-2018-14013, which is not fixed in this patch set.

ZCS 8.8.10 released

ZCS 8.8.10 was released October 2, 2018. It includes a fix for a limited text content injection vulnerability CVE-2018-17938 / bug 109021 (CWE 345).

ZCS 8.8.8 Patch9 released

ZCS 8.8.8 Patch9 was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, CVE-2018-15131 / bug 109012.

ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released

ZCS 8.8.9 Patch3 and ZCS 8.7.11 Patch6 were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, CVE-2018-15131 / bug 109012.

ZCS 8.6.0 Patch11 was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.

ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released

ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, CVE-2018-14425 / bug 108970.

ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released

ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 were released May 24, 2018. They include a fix for a XSS vulnerability, CVE-2018-10939 / bug 108902.

ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released

ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 were released April 12, 2018. They include a fix for a CSRF vulnerability, CVE-2015-7610 / bug 97579.

ZCS 8.7.11 Patch1 released

ZCS 8.7.11 Patch1 was released March 14, 2018. This includes a fix for three XSS vulnerabilities, CVE-2017-17703 / bug 108265, CVE-2017-8802 / bug 107925, and CVE-2018-6882 / bug 108786.

ZCS 8.8.7 released

ZCS 8.8.7 was released today. It includes fixes for a Persistent XSS vulnerability, CVE-2018-6882 / bug 108768 and Mailsploit related issues / bug 108709.

Note: We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.

ZCS 8.6.0 Patch9 released

ZCS 8.6.0 Patch 9 was released today and includes fixes for two Persistent XSS vulnerabilities, CVE-2017-8802 / bug 107925 and CVE-2017-17703 / bug 108265.

If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.

ZWC affected by Mailsploit

All supported versions of Zimbra Web Client (ZWC) prior to 8.8.7 are affected by Mailsploit. We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.

The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as bug 108709.

8.7.10 Released with a fix for one vulnerability

The following vulnerabilities were fixed in ZCS 8.7.10:

  • bug 107878 CVE-2017-8783 Persistent XSS - location CWE-79
    Affects: All supported versions before 8.7.10
  • bug 107885 CVE-2017-8783 Persistent XSS - description CWE-79
    Affects: All supported versions before 8.7.10

Thank you to Stephan Kaag of Securify for reporting bug 107878!

8.7.6 Released with fixes for two vulnerabilities

The following vulnerabilities were fixed in ZCS 8.7.6:

  • bug 107712 CVE-2017-6821 Improper limitation of file paths CWE-22
    Affects: All supported versions before 8.7.6
  • bug 107684 CVE-2017-6813 Improper handling of privileges CWE-280
    Affects: ZCS 8.5.0 - 8.7.5

Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)

A fix for a limited capability XXE - CVE-2016-9924 / bug 106811 is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.

A special thanks to Alastair Gray for taking the time to report this issue!

Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)

The details of CVE-2016-3403 / bug 100899 (see also bug 100885) were publicly disclosed by Sysdream Labs on 2017-01-11.

Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on 2016-07-13.

Thank you to Sysdream for your assistance and cooperation!

Ransomware targeting ZCS Servers

Lawrence Abrams of Bleeping Computer has reported that there is a new ransomware variant, written in Python, that is targeting ZCS server data under /opt/zimbra/store/.

At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:

  • Get (and stay) up to date on OS version and patches.
  • Get (and stay) up to date on ZCS version and patches.
  • Ensure servers are properly firewalled (see Ports and only allow access to the minimum number of services that is required to meet your business requirements.
  • Review and compare your system configuration against best practices like the CIS benchmarks.

Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

The 2016-05-03 announcement by OpenSSL regarding a padding oracle in the AES-NI CBC MAC check affects supported releases of ZCS 8.0-8.6.0 (via MTAs and Proxy).

We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in bug 104982. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via package repos.

First, test that you are vulnerable with the following tool:
https://filippo.io/CVE-2016-2107/

  • Edit /opt/zimbra/.bash_profile - add the following to the end of user zimbra's .bash_profile (requires root privs):
    # workaround CVE-2016-2107
    export OPENSSL_ia32cap="~0x200000200000000"
  • Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):
    Defaults env_keep += "OPENSSL_ia32cap"
  • Configure postfix - instructs postfix to honor the desired environment variable:
    $ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'

A special thanks to Malte Stretz from our Gold Partner, Silpion, for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.

In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)

The 2016-03-01 announcement by OpenSSL regarding DROWN via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently supported releases. See How to disable SSLv3, as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in bug 104130.

ZCS 8.6.0 Patch 5 availability

ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: Zimbra Security Advisories). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is rated as major. See the blog post or the release notes (available from the downloads area for additional notes on ZCS 8.6.0 Patch 5.

[Update: Feb 2, 2016]
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.

OpenSSL alternative chains certificate forgery (CVE-2015-1793)

Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.

A note on Logjam

There is a lot of chatter about Logjam - https://weakdh.org today.

At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.

Today we updated the MTA Ciphers section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default (http://www.postfix.org/postconf.5.html#smtp_tls_ciphers) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.

As usual, there are trade-offs involved, but in the light of FREAK (https://freakattack.com) and Logjam (https://weakdh.org) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.

Please visit https://wiki.zimbra.com/wiki/Security/Collab/86 to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen DH params. A sneak preview of security related changes/enhancements in the works is available at https://wiki.zimbra.com/wiki/Security/Collab/87.

Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/


Update for 8.0.x customers: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html

What the FREAK attack means to Zimbra

Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing CVE-2015-0204.

The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, according to Washington Post, is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.

Matthew Green, cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:

A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.

In addition to Matthew Green's post and the Washington Post article, the freakattack.com site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.

Zimbra Specifics

Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.

As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.

GNU C Library Vulnerability — aka GHOST

Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.

Details

The vulnerability appears to have been found by Qualys and disclosed in security advisory CVE 2015-0235. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.

**Recommendation**

Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.

Patches or acknowledgements

GNU C Library's upstream Git
Ubuntu
Debian
Red Hat
CentOS
SUSE

- Phil

Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.

POODLE Revisited

We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.

For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.

Zimbra Collaboration Updates (8.0.9 & 8.5.1)

Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit https://wiki.zimbra.com/wiki/How_to_disable_SSLv3.

Find here extra details on the releases:

And, as always, don't forget to read the release notes.

The Shellshock Flaw

Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog.  Please head over to  https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw  for any updates related to this issue.

Security Advisory: Zimbra Community 8.x Security Vulnerability

Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.

Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.

Affected Versions: 8.0.0.37997 (unpatched), 8.0.1.39116

Vulnerability Scoring: CVSS: 1.4

Obtaining a fix: http://telligent.com/support/m/support/1354746.aspx

Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.

Reporter: Alex Crome (Zimbra)

When does this occur?

1. Creating a user through the control panel using Membership Administration (requires administrative privileges)

2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)

If you have any questions or would like assistance with applying the patch, please contact support.

This advisory was originally published here

Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.

The impact to Zimbra Collaboration Server is as follows:

  • ZCS 6 is not affected
  • ZCS 7 is not affected
  • ZCS 8 is affected

Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.

If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.

Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

  • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
  • ZCA versions 8.0.3 or 8.0.4

The following patch instructions must be done on a per server basis:

  • As zimbra user:
zmcontrol stop
  • As root:
cd /tmp
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
chmod a+rx zmopenssl-updater.sh
./zmopenssl-updater.sh
  • As zimbra user:
zmcontrol start

After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:

openssl version

On an 8.0.7 patched system the result should be:

zimbra$ openssl version
OpenSSL 1.0.1h 5 Jun 2014

Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.

Continue to the next server and repeat the patch process.

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.

Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability

Overview

Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:

Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.

Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.

The patch is located here:

The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

  • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
  • ZCA versions 8.0.3 or 8.0.4

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:

  • RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected
  • SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected

Patching

The steps to patch are the following:

(as root)
1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh

 ---------------------
 [Generates the following output]
 Downloading patched openssl
 Validating patched openssl: success
 Backing up old openssl: complete
 Installing patched openssl: complete
 OpenSSL patch process complete.
 Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol
 restart
 ---------------------

(as user zimbra)
4) su - zimbra
5) zmcontrol restart[/CODE]

Manual Patching

If you don’t have Internet access, manually installing the patch would require the following steps:

1) Download the appropriate openssl build:

(as root)
cd /tmp
wget the correct version, from this list:

The MD5 files are also available for verification purposes, here:


(as root)
2) cd /opt/zimbra
3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart
4) tar xfz /tmp/openssl-NEWVERSION.tgz

(as user zimbra)
5) su - zimbra
6) zmcontrol restart

Zimbra Collaboration 8.0.7 Builds

Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.

If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:

In short:

OpenSSL Patch Update for ZCS 8.0.3 Only

If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.

Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.

Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")

Please use the test methods below to confirm.

Testing

There are a few ways you can confirm if your system is vulnerable:

1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:

2. If running ZCS 8.0.7, check zmcontrol for the build number:

# su - zimbra
$ zmcontrol -v
Release 8.0.7_GA_6021.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.

3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:

Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
dtls1_heartbeat
$

Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
$


Please let Zimbra know promptly if any problems or questions.

Urgency on Security Fixes for Bug 80338 and Bug 84547

Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation

Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):

There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:

And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:

As noted, there are patches and upgrades available here:

Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.

Welcome to the Zimbra Security Group

Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.


Zimbra Security Center

Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.

"Watch" the Security Center pages to stay updated on Zimbra security related news.

Zimbra Support

Open a new Support Ticket or check your opening ones. For questions on becoming a supported Zimbra customer, please contact us.

Zimbra Product Releases

Go to our Zimbra Product Releases page for details about each release, including:

  • Release Notes
  • Patch Information
  • Documents in PDF format
  • Documents in ePub format
  • Complete Bugzilla reports



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search