Security Center
Zimbra Security - News & Alerts
How to stay informed about security announcements?
You could manually check this page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
And/or subscribe to the these RSS feeds (you can use Zimbra Classic UI or some other feedreader like r2e on Linux):
- https://wiki.zimbra.com/security-advisory-feed.php (no details, can be used for security notification purposes)
- https://blog.zimbra.com/feed/ (includes patches and security news with details and other news)
And subscribe to the Zeta Alliance mailing lists:
https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org
ZCS 10.1.1 Released
ZCS 10.1.1 was released on Wed Sep 04 2024. The release includes security fixes for:
- A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. CVE-2024-45513
- Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519
- A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518
- A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. CVE-2024-45194
- A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517
- Resolved Cross-Site Scripting (XSS) vulnerability due to inadequate validation of metadata's Content-Type when importing files into the briefcase, preventing arbitrary JavaScript execution. CVE-2024-45515
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516
- A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD
- Fixed a reflected XSS vulnerability in the Briefcase module due to improper sanitization by the OnlyOffice formatter. CVE-2024-45511
- Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. CVE-2024-45512
- Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. CVE-2024-45510
- A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 CVE-2024-38356
ZCS 10.0.9 Released
ZCS 10.0.9 was released on Wed Sep 04 2024. The release includes security fixes for:
- A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. CVE-2024-45513
- Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519
- A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518
- A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. CVE-2024-45194
- A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517
- Resolved Cross-Site Scripting (XSS) vulnerability due to inadequate validation of metadata's Content-Type when importing files into the briefcase, preventing arbitrary JavaScript execution. CVE-2024-45515
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516
- A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD
- Fixed a reflected XSS vulnerability in the Briefcase module due to improper sanitization by the OnlyOffice formatter. CVE-2024-45511
- Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. CVE-2024-45512
- Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. CVE-2024-45510
- A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 CVE-2024-38356
ZCS 9.0.0 Patch 41 Released
ZCS 9.0.0 Patch 41 was released on Wed Sep 04 2024. The release includes security fixes for:
- A stored XSS vulnerability in the `contacts/print` endpoint has been addressed. CVE-2024-45513
- Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519
- A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518
- A Cross-Site Scripting (XSS) issue that allowed an attacker to inject and execute malicious code via email account configurations has been resolved. CVE-2024-45194
- A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516
- A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD
- Fixed a Stored Cross-Site Scripting (XSS) vulnerability in the Briefcase module that could execute malicious code when interacting with folder share notifications. CVE-2024-45512
- Fixed a stored XSS vulnerability that could lead to unauthorized actions when adding contacts from specially crafted emails. CVE-2024-45510
- A Cross-Site Scripting (XSS) vulnerability in TinyMCE was addressed in the upgrade from version 7.1.1 to 7.2.0 CVE-2024-38356
ZCS 8.8.15 Patch 46 Released
ZCS 8.8.15 Patch 46 was released on Wed Sep 04 2024. The release includes security fixes for:
- Fixed a security vulnerability in the postjournal service which may allow unauthenticated users to execute commands. CVE-2024-45519
- A Server-Side Request Forgery (SSRF) vulnerability that allowed unauthorized access to internal services has been addressed. CVE-2024-45518
- A Cross-Site Scripting (XSS) vulnerability in the `/h/rest` endpoint has been fixed. CVE-2024-45517
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. CVE-2024-45516
- A Cross-Site Scripting (XSS) vulnerability caused by a non-sanitized `packages` parameter has been resolved. CVE-2024-45514
- A Cross-Site Scripting (XSS) vulnerability via crafted HTML content in the Zimbra Classic UI has been fixed. TBD
- A reflected XSS vulnerability in the calendar endpoint has been addressed. TBD
- Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter. CVE-2024-33535
- An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter. CVE-2024-33536
- An XSS vulnerability in a Calendar invite has been resolved. CVE-2024-27443
ZCS 10.1.0 Released
ZCS 10.1.0 was released on Tue Jul 16 2024. The release includes security fixes for:
- Removed the use of Node integration from the Electron framework used in Modern Zimbra Desktop that allowed remote code execution, preventing Node.js code from being executed in the renderer process. TBD
- Upgraded Electron framework used in Modern Zimbra Desktop to version 28.0.0, This update mitigates potential security risks associated with the outdated Electron version 11.5.0. CVE-2023-4863
- Upgraded graphiql from version 3.1.0 to 3.2.0 to address a high severity infinite loop vulnerability. TBD
- Addressed a high severity Prototype Pollution vulnerability in Modern UI. The concerned library has been removed from the codebase, and a custom utility function has been implemented to achieve the same functionality, mitigating the vulnerability. TBD
ZCS 10.0.8 Released
ZCS 10.0.8 was released on Mon Apr 22 2024. The release includes security fixes for:
- SMTP Smuggling vulnerability Patched. CVE-2023-51764
- Upgraded PHP to 8.3.0 to fix allocated memory vulnerability. CVE-2021-21708
- An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter. CVE-2024-33536
- Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter. CVE-2024-33535
- Addressed XSS vulnerability in zimbraAdmin interface due to non sanitised parameter. CVE-2024-33533
ZCS 9.0.0 Patch 40 Released
ZCS 9.0.0 Patch 40 was released on Mon Apr 22 2024. The release includes security fixes for:
- SMTP Smuggling vulnerability Patched. CVE-2023-51764
- Upgraded PHP to 8.3.0 to fix allocated memory vulnerability. CVE-2021-21708
- An XSS vulnerability was observed due to the execution of malicious JavaScript code from an externally shared file via non-sanitized parameter. CVE-2024-33536
- Unauthenticated Local File Inclusion in zimbraAdmin interface via "packages" parameter. CVE-2024-33535
- Addressed XSS vulnerability in zimbraAdmin interface due to non sanitised parameter. CVE-2024-33533
ZCS 10.0.7 Released
ZCS 10.0.7 was released on Wed Feb 28 2024. The release includes security fixes for:
- Nginx has been upgraded to version 1.24.0 to fix multiple vulnerabilities. CVE-2022-41741 CVE-2022-41742
- An XSS vulnerability in a Calendar invite has been resolved. CVE-2024-27443
- Local Privilege Escalation vulnerability Patched. CVE-2024-27442
ZCS 9.0.0 Patch 39 Released
ZCS 9.0.0 Patch 39 was released on Wed Feb 28 2024. The release includes security fixes for:
- Nginx has been upgraded to version 1.24.0 to fix multiple vulnerabilities. CVE-2022-41741 CVE-2022-41742
- An XSS vulnerability in a Calendar invite has been resolved. CVE-2024-27443
- Local Privilege Escalation vulnerability Patched. CVE-2024-27442
ZCS 10.0.6 Released
ZCS 10.0.6 was released on Mon Dec 18 2023. The release includes security fixes for:
- OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
- Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
- Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD
- Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD
ZCS 9.0.0 Patch 38 Released
ZCS 9.0.0 Patch 38 was released on Mon Dec 18 2023. The release includes security fixes for:
- OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
- Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
- Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD
- Modern UI was vulnerable to DOM-based Javascript injection. Security related issues have been fixed to prevent it. TBD
ZCS 8.8.15 Patch 45 Released
ZCS 8.8.15 Patch 45 was released on Mon Dec 18 2023. The release includes security fixes for:
- OpenJDK has been upgraded to version 17.0.8 to fix multiple vulnerabilities. CVE-2023-21930 CVE-2022-21476 CVE-2022-21449
- Fixed a vulnerability where an auth token was possible to be obtained. CVE-2023-48432
- Certbot now adopts ECDSA secp256r1 (P-256) certificate private keys as the default for all newly generated certificates. Zimbra has also introduced support for ECDSA secp256r1 (P-256) certificate private keys in new certificates. TBD
ZCS 10.0.5 Released
ZCS 10.0.5 was released on Thu Oct 19 2023. The release includes security fixes for:
- A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280
- A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
- An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
- Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206
ZCS 9.0.0 Patch 37 Released
ZCS 9.0.0 Patch 37 was released on Thu Oct 19 2023. The release includes security fixes for:
- A security related issue has been fixed to prevent javascript injection through help files. CVE-2007-1280
- A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
- An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
- Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206
ZCS 8.8.15 Patch 44 Released
ZCS 8.8.15 Patch 44 was released on Thu Oct 19 2023. The release includes security fixes for:
- A security related issue has been fixed to prevent javascript injection through help files.CVE-2007-1280
- A security related issue has been fixed which impacted one of the third party libraries being used in Admin User Inferface. CVE-2020-7746
- An XSS vulnerability was observed when a PDF containing malicious Javascript code was uploaded in Briefcase. CVE-2023-45207
- Multiple possible cross-site scripting (XSS) vulnerabilities were observed in the robohelp package. The package has now been made optional. This means that users will now be access help documentation at the URL - https://www.zimbra.com/documentation/. CVE-2023-45206
ZCS 10.0.4 Released
ZCS 10.0.4 was released on Wed Sep 13 2023. The release includes security fixes for:
- XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
- An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102
ZCS 9.0.0 Patch 36 Released
ZCS 9.0.0 Patch 36 was released on Wed Sep 13 2023. The release includes security fixes for:
- XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
- An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102
ZCS 8.8.15 Patch 43 Released
ZCS 8.8.15 Patch 43 was released on Wed Sep 13 2023. The release includes security fixes for:
- XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103
- An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102
ZCS 10.0.3 Released
ZCS 10.0.3 was released on Wed Aug 23 2023. The release includes security fixes for:
- Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106
ZCS 9.0.0 Patch 35 Released
ZCS 9.0.0 Patch 35 was released on Wed Aug 23 2023. The release includes security fixes for:
- Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106
ZCS 8.8.15 Patch 42 Released
ZCS 8.8.15 Patch 42 was released on Wed Aug 23 2023. The release includes security fixes for:
- Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106
ZCS 10.0.2 Released
ZCS 10.0.2 was released on Wed Jul 26 2023. The release includes security fixes for:
- OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
- The Amavis package has been upgraded to 2.13.0 version. TBD
- A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750
ZCS 9.0.0 Patch 34 Released
ZCS 9.0.0 Patch 34 was released on Wed Jul 26 2023. The release includes security fixes for:
- OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
- The Amavis package has been upgraded to 2.13.0 version. TBD
- A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750
ZCS 8.8.15 Patch 41 Released
ZCS 8.8.15 Patch 41 was released on Wed Jul 26 2023. The release includes security fixes for:
- A cross-site scripting (XSS) vulnerability that was present in the in the Zimbra Classic Web Client has been addressed. CVE-2023-37580
- OpenSSL package has been upgraded to fix a security issue related to the verification of X.509 certificate chains that include policy constraints CVE-2023-0464
- The Amavis package has been upgraded to 2.13.0 version. TBD
- A bug that could lead to exposure of internal JSP and XML files has been fixed. CVE-2023-38750
Daffodil 10.0.1 Released
Daffodil 10.0.1 was released on Tue May 30 2023. The release includes security fixes for:
- As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
- The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
- Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
- The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
- The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
- Added additional validations for 2FA login. CVE-2023-29381
ZCS 9.0.0 Patch 33 Released
ZCS 9.0.0 Patch 33 was released on Tue May 30 2023. The release includes security fixes for:
- As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
- The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
- Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
- The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
- The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
- Added additional validations for 2FA login. CVE-2023-29381
ZCS 8.8.15 Patch 40 Released
ZCS 8.8.15 Patch 40 was released on Tue May 30 2023. The release includes security fixes for:
- A possible Cross-site Scripting (XSS) security vulnerability has been fixed CVE-2023-34192
- As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193
- The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690
- Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382
- The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364
- The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 CVE-2022-22970
- Added additional validations for 2FA login. CVE-2023-29381
ZCS 9.0.0 Patch 31 Released
ZCS 9.0.0 Patch 31 was released on March 2, 2023. The release includes security fixes for:
- The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. CVE-2023-20032
ZCS 8.8.15 Patch 38 Released
ZCS 8.8.15 Patch 38 was released on March 2, 2023. The release includes security fixes for:
- The ClamAV package has been upgraded to version 0.105.2 to fix multiple vulnerabilities. CVE-2023-20032
ZCS 9.0.0 Patch 30 Released
ZCS 9.0.0 Patch 30 was released on February 21, 2023. The release includes security fixes for:
- Multiple security issues related possibility of RXSS attack related to printing messages and appointments have been fixed. CVE-2023-24031
- The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286
- Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030
- Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562
- Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032
- The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability CVE-2018-25032
ZCS 8.8.15 Patch 37 Released
ZCS 8.8.15 Patch 37 was released on February 21, 2023. The release includes security fixes for:
- The OpenSSL package has been upgraded to version 8.7b4 to fix multiple vulnerabilities. CVE-2023-0286
- Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities. CVE-2023-24030
- Previously, the account status was not validated when sending emails using 2FA. Added additional validations for user accounts to check the account status and allow email operations. CVE-2023-26562
- Strengthened security of Zimbra product by disallowing usage of some JVM arguments in mailbox manager. CVE-2023-24032
- The Perl compress zlib package has been upgraded to version 2.103-1 to fix out-of-bounds access vulnerability. CVE-2018-25032
ZCS 9.0.0 Patch 28 Released
ZCS 9.0.0 Patch 28 was released on November 21, 2022. The release includes security fixes for:
- XSS can occur in Classic UI login page by injecting arbitrary javascript code. CVE-2022-45911
- RCE through ClientUploader from authenticated admin user. CVE-2022-45912
- XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913
- The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377 .
- The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770 CVE-2022-20771
- YUI dependency is removed from WebClient and Admin Console.
ZCS 8.8.15 Patch 35 Released
ZCS 8.8.15 Patch 35 was released on November 21, 2022. The release includes security fixes for:
- RCE through ClientUploader from authenticated admin user. CVE-2022-45912
- XSS can occur via one of attribute in webmail urls, leading to information disclosure. CVE-2022-45913
- The Apache package has been upgraded to version 2.4.54 to fix multiple vulnerabilities. CVE-2022-26377.
- The ClamAV package has been upgraded to version 0.105.1-2 to fix multiple vulnerabilities. CVE-2022-20770 CVE-2022-20771
ZCS 9.0.0 Patch 27 Released
ZCS 9.0.0 Patch 27 was released on October 11, 2022. The release includes security fixes for:
- An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352.
- Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393
- XSS can occur via one of the attribute of an IMG element, leading to information disclosure. CVE-2022-41348
ZCS 8.8.15 Patch 34 Released
ZCS 8.8.15 Patch 34 was released on October 11, 2022. The release includes security fixes for:
- An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352.
- Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393.
- XSS can occur via one of attribute in search component of webmail, leading to information disclosure. CVE-2022-41350
- XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. CVE-2022-41349
- XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. CVE-2022-41351
ZCS 9.0.0 Patch 26 Released
ZCS 9.0.0 Patch 26 was released on July 28, 2022. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites. CVE-2022-2068.
- Authentication Bypass in MailboxImportServlet. CVE-2022-37042
- Proxy Servlet SSRF Vulnerability. CVE-2022-37041
- Cyrus SASL package has been upgraded to version 2.1.28. CVE-2022-24407
- When using preauth, CSRF tokens are not checked on some post endpoints. CVE-2022-37043
ZCS 8.8.15 Patch 33 Released
ZCS 8.8.15 Patch 33 was released on July 28, 2022. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1q to avoid multiple vulnerabilites. CVE-2022-2068.
- RXSS on '/h/search' via title parameter. CVE-2022-37044.
- RXSS on '/h/search' via onload parameter. CVE-2022-37044
- RXSS on '/h/search' via extra parameter. CVE-2022-37044
- Authentication Bypass in MailboxImportServlet. CVE-2022-37042
- Proxy Servlet SSRF Vulnerability. CVE-2022-37041
- Cyrus SASL package has been upgraded to version 2.1.28. CVE-2022-24407
- When using preauth, CSRF tokens are not checked on some post endpoints. CVE-2022-37043
ZCS 9.0.0 Patch 25 Released
ZCS 9.0.0 Patch 25 was released on June 14, 2022. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778.
- Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165.
- Upgraded mina-core to version 2.1.6. CVE-2019-0231
- Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]
ZCS 8.8.15 Patch 32 Released
ZCS 8.8.15 Patch 32 was released on June 14, 2022. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1n to avoid DoS vulnerability. CVE-2022-0778.
- Upgraded Jetty to 9.4.46 to avoid vulnerability due to large TLS packets causing 100% CPU usage. CVE-2021-28165.
- Upgraded mina-core to version 2.1.6. CVE-2019-0231
- Fixed an issue with Zimbra Classic WebApp where input sanitization was required in displaying attachment data. [CVE - TBD]
ZCS 9.0.0 Patch 24.1 Released
ZCS 9.0.0 Patch 24.1 was released on May 10, 2022. The release includes security fixes for:
- Memcached poisoning with unauthenticated request.CVE-2022-27924
ZCS 8.8.15 Patch 31.1 Released
ZCS 8.8.15 Patch 31.1 was released on May 10, 2022. The release includes security fixes for:
- Memcached poisoning with unauthenticated request.CVE-2022-27924
ZCS 9.0.0 Patch 24 Released
ZCS 9.0.0 Patch 24 was released on March 30, 2022. The release includes security fixes for:
- Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. CVE-2021-40438CVE-2021-39275.
- Upgraded PHP to 7.4.27 to avoid DoS vulnerability. CVE-2021-21702
- RCE through mboximport from authenticated user. CVE-2022-27925
- Memcached poisoning with unauthenticated request.CVE-2022-27924
Spring4Shell security hotfix was released in Patch 24 on April 21, 2022:
- RCE vulnerability in Spring Framework . CVE-2022-22965.
ZCS 8.8.15 Patch 31 Released
ZCS 8.8.15 Patch 31 was released on March 30, 2022. The release includes security fixes for:
- Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. CVE-2021-40438CVE-2021-39275.
- Upgraded PHP to 7.4.27 to avoid DoS vulnerability. CVE-2021-21702
- An endpoint URL accepts parameters without sanitizing it caused XSS vulnerability. CVE-2022-27926
- RCE through mboximport from authenticated user. CVE-2022-27925
- Memcached poisoning with unauthenticated request.CVE-2022-27924
ZCS 8.8.15 Patch 30 Security Hotfix Released
A Security Hotfix for ZCS 8.8.15 Patch 30 was released on February 05, 2022. The hotfix release includes security fix for:
- Zero-day XSS Vulnerability. CVE-2022-24682.
ZCS 9.0.0 Patch 21 Released
ZCS 9.0.0 Patch 21 was released on November 22, 2021. The release includes security fixes for:
- Upgraded Apache to 2.4.51 to avoid multiple vulnerabilities. CVE-2021-30641 CVE-2020-35452.
ZCS 8.8.15 Patch 28 Released
ZCS 8.8.15 Patch 28 was released on November 22, 2021. The release includes security fixes for:
- Upgraded Apache to 2.4.51 to avoid multiple vulnerabilities. CVE-2021-30641 CVE-2020-35452.
ZCS 9.0.0 Patch 20 Released
ZCS 9.0.0 Patch 20 was released on October 25, 2021. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1l to avoid multiple vulnerabilities. CVE-2021-3711 CVE-2021-3712.
ZCS 8.8.15 Patch 27 Released
ZCS 8.8.15 Patch 27 was released on October 25, 2021. The release includes security fixes for:
- Upgraded OpenSSL to 1.1.1l to avoid multiple vulnerabilities. CVE-2021-3711 CVE-2021-3712.
ZCS 9.0.0 Patch 16 Released
ZCS 9.0.0 Patch 16 was released on July 28, 2021. The release includes security fixes for:
- Proxy Servlet Open Redirect Vulnerability CVE-2021-35209.
- Open Redirect Vulnerability in preauth servlet CVE-2021-34807
- Stored XSS Vulnerability in ZmMailMsgView.java CVE-2021-35208
- XSS vulnerability in Zimbra Web Client via loginErrorCode CVE-2021-35207
ZCS 9.0.0 Patch 10 Released
ZCS 9.0.0 Patch 10 was released on December 16, 2020. The release includes security fixes for:
- Resolved XXE vulnerability (CWE-776) in saml consumer store extension (Network Edition) CVE-2020-35123
ZCS 8.8.15 Patch 17 Released
ZCS 8.8.15 Patch 17 was released on December 16, 2020. The release includes security fixes for:
- Resolved XXE vulnerability (CWE-776) in saml consumer store extension (Network Edition) CVE-2020-35123
ZCS 9.0.0 Patch 5 Released
ZCS 9.0.0 Patch 5 was released on July 27, 2020. The release includes security fixes for:
- Upgrade for tinymce to 5.4.0, to resolve XSS vulnerability CVE-2019-1010091
- Upgrade nodejs library mem to 4.3.0 to resolve memory leak WS-2018-0236
ZCS 9.0.0 Patch 4 and ZCS 8.8.15 Patch 11 Released
ZCS 9.0.0 Patch 4 and ZCS 8.8.15 Patch 11 were released on July 2, 2020. The release includes security fixes for:
- XSS Vulnerability in CVE-2020-13653
ZCS 9.0.0 Patch 3 and ZCS 8.8.15 Patch 10 Released
ZCS 9.0.0 Patch 3 and ZCS 8.8.15 Patch 10 were released on June 3, 2020. The release includes security fixes for:
- Potential upload of dangerous file type in upload servlet CVE-2020-12846
ZCS 9.0.0 Patch 2 released
ZCS Patch 2 was released on May 4, 2020. The release includes security fixes for:
- CVE-2020-1931, XSS through malicious JS embedded in Mail Message or Calendar Event
ZCS 8.8.15 Patch 9 released
ZCS Patch 9 was released on April 23, 2020. The release includes security fixes for:
- CVE-2020-1930, CVE-2020-1931 - Upgraded 3rd Party Apache SpamAssassin from version 3.4.1 to 3.4.4.
- CVE-2020-3123 - Upgraded 3rd Party ClamAV from version 0.99.4 to 0.102.2.
- CVE-2019-13565 - Upgraded 3rd Party Open LDAP from version 2.4.46 to 2.4.49.
ZCS 8.8.15 Patch 8 released
ZCS Patch 8 was released on March 9, 2020. The release includes security fixes for:
- CVE-2020-10194 - any authenticated user could view a GAL contact from another domain on the same Zimbra installation. After this fix, AutoCompleteGal request does not allow access to GalSync accounts of other domains.
ZCS 8.8.15 Patch 7 released
ZCS Patch 7 was released on Feb 10, 2020. The release includes security fixes for:
- CVE-2020-8633 - Revoked share calendars are now being removed from OLK profile.
- CVE-2020-7796 - Potential for SSRF if WebEx zimlet installed and zimlet JSP enabled.
ZCS 8.8.15 Patch 2 released
ZCS Patch 2 was released on September 30, 2019. The release includes security fixes for:
- Upgraded ClamAV to 0.101.4 CVE-2019-12625 / Bug 12356
ZCS 8.8.15 Patch 1 released
ZCS 8.8.15 Patch 1 was released on August 28, 2019. The release includes security fixes for:
- CVE-2019-12427 / Bug 109174 - Non-Persistent XSS - admin console (CWE-79)
- CVE-2019-15313 / Bug 109141 - Non-Persistent XSS - web client (CWE-79)
ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released
ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8 and 8.8.11 Patch 4 were released on April 15, 2019. The releases includes security fixes for:
- CVE-2019-9621 / Bug 109127 - SSRF (CWE-918 CWE-807)
- CVE-2019-6981 / Bug 109096 - SSRF (CWE-918)
8.8.9 Patch 10, adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):
- CVE-2019-6980 / Bug 109097 - Insecure object deserialization (CWE-502)
ZCS 8.8.12 Patch 1 was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:
- CVE-2019-11318 / Bug 109117 - Persistent XSS - Drive (CWE-79)
ZCS 8.8.12 released
ZCS 8.8.12 was released on April 1, 2019 . The release includes security fixes for:
- CVE-2019-9621 / Bug 109127 - SSRF (CWE-918 CWE-807)
- CVE-2019-6981 / Bug 109096 - SSRF (CWE-918)
- Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)
Recent Zimbra XXE / SSRF Vulnerability Disclosures
We published a blog post regarding recent Zimbra XXE / SSRF vulnerabilities disclosed by An Phuoc Trinh, of Viettel Cyber Security. In short:
- ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
- ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10
- ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. - ZCS earlier versions - upgrade to a supported version as soon as possible!
See the blog post for a few additional details: Recent Zimbra XXE / SSRF Vulnerability Disclosure.
ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released
ZCS 8.7.11 Patch 10 was released on March 18, 2019 and 8.6.0 Patch 13 was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):
- CVE-2019-9670 / Bug 109129 - XXE (CWE-611)
ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released
ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 were released on March 4, 2019. The releases includes security fixes for:
- CVE-2019-6980 / Bug 109097 - Insecure object deserialization (CWE-502)
A special thanks to An Phuoc Trinh, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!
Please note, the rating has been upgraded to "major" as the original scoring did not cover all potential available attack vectors.
ZCS 8.7.11 Patch 8 released
ZCS 8.7.11 Patch 8 was released February 1, 2019. The release includes security fixes for:
- CVE-2018-20160 / Bug 109093 - XXE - Chat (CWE-611)
- CVE-2018-14013 / Bug 109017 - Non-persistent XSS - Web Client (CWE 79)
ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released
ZCS 8.8.9 Patch 9, ZCS 8.8.10 Patch 5 and ZCS 8.8.11 Patch 1 were released January 4, 2019. The releases include security fixes for:
- CVE-2018-20160 / Bug 109093 - XXE - Chat (CWE-611)
- CVE-2018-14013 / Bug 109017 - Non-persistent XSS - Web Client
(CWE 79)
- Note: this fix is already in the ZCS 8.8.11 release
ZCS 8.8.11 released
ZCS 8.8.11 was released December 17, 2018. The release includes a fix for a non-persistent XSS CVE-2018-14013 / bug 109017 (CWE 79).
ZCS 8.8.9 Patch 7 released
ZCS 8.8.9 P7 was released November 6, 2018. The patch includes a fix for a persistent XSS CVE-2018-18631 / bug 109020 (CWE 79).
ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released
ZCS 8.8.10 P2 and ZCS 8.7.11 P7 were released October 29, 2018. Both patches include a fix for a persistent XSS CVE-2018-18631 / bug 109020 (CWE 79). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS CVE-2018-14013 / bug 109018 (CWE 79). Please note, there is a second non-persistent XSS (bug 109017), also part of CVE-2018-14013, which is not fixed in this patch set.
ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released
ZCS 8.8.10 P1 and ZCS 8.8.9 P6 were released October 17, 2018. They include a fix for a non-persistent XSS CVE-2018-14013 / bug 109018 (CWE 79). Please note, there is a second non-persistent XSS (bug 109017), also part of CVE-2018-14013, which is not fixed in this patch set.
ZCS 8.8.10 released
ZCS 8.8.10 was released October 2, 2018. It includes a fix for a limited text content injection vulnerability CVE-2018-17938 / bug 109021 (CWE 345).
ZCS 8.8.8 Patch9 released
ZCS 8.8.8 Patch9 was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, CVE-2018-15131 / bug 109012.
ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released
ZCS 8.8.9 Patch3 and ZCS 8.7.11 Patch6 were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, CVE-2018-15131 / bug 109012.
ZCS 8.6.0 Patch11 was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.
ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released
ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, CVE-2018-14425 / bug 108970.
ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released
ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 were released May 24, 2018. They include a fix for a XSS vulnerability, CVE-2018-10939 / bug 108902.
ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released
ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 were released April 12, 2018. They include a fix for a CSRF vulnerability, CVE-2015-7610 / bug 97579.
ZCS 8.7.11 Patch1 released
ZCS 8.7.11 Patch1 was released March 14, 2018. This includes a fix for three XSS vulnerabilities, CVE-2017-17703 / bug 108265, CVE-2017-8802 / bug 107925, and CVE-2018-6882 / bug 108786.
ZCS 8.8.7 released
ZCS 8.8.7 was released today. It includes fixes for a Persistent XSS vulnerability, CVE-2018-6882 / bug 108768 and Mailsploit related issues / bug 108709.
Note: We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.
ZCS 8.6.0 Patch9 released
ZCS 8.6.0 Patch 9 was released today and includes fixes for two Persistent XSS vulnerabilities, CVE-2017-8802 / bug 107925 and CVE-2017-17703 / bug 108265.
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.
ZWC affected by Mailsploit
All supported versions of Zimbra Web Client (ZWC) prior to 8.8.7 are affected by Mailsploit. We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as bug 108709.
8.7.10 Released with a fix for one vulnerability
The following vulnerabilities were fixed in ZCS 8.7.10:
- bug 107878 CVE-2017-8783 Persistent XSS - location CWE-79
Affects: All supported versions before 8.7.10 - bug 107885 CVE-2017-8783 Persistent XSS - description CWE-79
Affects: All supported versions before 8.7.10
Thank you to Stephan Kaag of Securify for reporting bug 107878!
8.7.6 Released with fixes for two vulnerabilities
The following vulnerabilities were fixed in ZCS 8.7.6:
- bug 107712 CVE-2017-6821 Improper limitation of file paths CWE-22
Affects: All supported versions before 8.7.6 - bug 107684 CVE-2017-6813 Improper handling of privileges CWE-280
Affects: ZCS 8.5.0 - 8.7.5
Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)
A fix for a limited capability XXE - CVE-2016-9924 / bug 106811 is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.
A special thanks to Alastair Gray for taking the time to report this issue!
Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)
The details of CVE-2016-3403 / bug 100899 (see also bug 100885) were publicly disclosed by Sysdream Labs on 2017-01-11.
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on 2016-07-13.
Thank you to Sysdream for your assistance and cooperation!
Ransomware targeting ZCS Servers
Lawrence Abrams of Bleeping Computer has reported that there is a new ransomware variant, written in Python, that is targeting ZCS server data under /opt/zimbra/store/.
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:
- Get (and stay) up to date on OS version and patches.
- Get (and stay) up to date on ZCS version and patches.
- Ensure servers are properly firewalled (see Ports and only allow access to the minimum number of services that is required to meet your business requirements.
- Review and compare your system configuration against best practices like the CIS benchmarks.
Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
The 2016-05-03 announcement by OpenSSL regarding a padding oracle in the AES-NI CBC MAC check affects supported releases of ZCS 8.0-8.6.0 (via MTAs and Proxy).
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in bug 104982. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via package repos.
First, test that you are vulnerable with the following tool:
https://filippo.io/CVE-2016-2107/
- Edit /opt/zimbra/.bash_profile
- add the following to the end of user zimbra's .bash_profile (requires root privs):
# workaround CVE-2016-2107
export OPENSSL_ia32cap="~0x200000200000000" - Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):
Defaults env_keep += "OPENSSL_ia32cap"
- Configure postfix - instructs postfix to honor the desired environment variable:
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'
A special thanks to Malte Stretz from our Gold Partner, Silpion, for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.
In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)
The 2016-03-01 announcement by OpenSSL regarding DROWN via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently supported releases. See How to disable SSLv3, as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in bug 104130.
ZCS 8.6.0 Patch 5 availability
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: Zimbra Security Advisories). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is rated as major. See the blog post or the release notes (available from the downloads area for additional notes on ZCS 8.6.0 Patch 5.
[Update: Feb 2, 2016]
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.
OpenSSL alternative chains certificate forgery (CVE-2015-1793)
Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.
A note on Logjam
There is a lot of chatter about Logjam - https://weakdh.org today.
At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.
Today we updated the MTA Ciphers section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default (http://www.postfix.org/postconf.5.html#smtp_tls_ciphers) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.
As usual, there are trade-offs involved, but in the light of FREAK (https://freakattack.com) and Logjam (https://weakdh.org) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.
Please visit https://wiki.zimbra.com/wiki/Security/Collab/86 to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen DH params. A sneak preview of security related changes/enhancements in the works is available at https://wiki.zimbra.com/wiki/Security/Collab/87.
Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
Update for 8.0.x customers: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html
What the FREAK attack means to Zimbra
Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing CVE-2015-0204.
The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, according to Washington Post, is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.
Matthew Green, cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:
A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.
In addition to Matthew Green's post and the Washington Post article, the freakattack.com site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.
Zimbra Specifics
Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.
As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.
GNU C Library Vulnerability — aka GHOST
Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.
Details
The vulnerability appears to have been found by Qualys and disclosed in security advisory CVE 2015-0235. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.
**Recommendation**
Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.
Patches or acknowledgements
GNU C Library's upstream Git
Ubuntu
Debian
Red Hat
CentOS
SUSE
- Phil
Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.
POODLE Revisited
We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.
For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.
Zimbra Collaboration Updates (8.0.9 & 8.5.1)
Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit https://wiki.zimbra.com/wiki/How_to_disable_SSLv3.
Find here extra details on the releases:
- https://community.zimbra.com/collaboration/f/1884/t/1136138
- https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1
And, as always, don't forget to read the release notes.
The Shellshock Flaw
Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. Please head over to https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw for any updates related to this issue.
Security Advisory: Zimbra Community 8.x Security Vulnerability
Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.
Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.
Affected Versions: 8.0.0.37997 (unpatched), 8.0.1.39116
Vulnerability Scoring: CVSS: 1.4
Obtaining a fix: http://telligent.com/support/m/support/1354746.aspx
Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.
Reporter: Alex Crome (Zimbra)
When does this occur?
1. Creating a user through the control panel using Membership Administration (requires administrative privileges)
2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)
If you have any questions or would like assistance with applying the patch, please contact support.
This advisory was originally published here.
Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)
20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)
On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.
The impact to Zimbra Collaboration Server is as follows:
- ZCS 6 is not affected
- ZCS 7 is not affected
- ZCS 8 is affected
Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.
If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.
Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
- ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
- ZCA versions 8.0.3 or 8.0.4
The following patch instructions must be done on a per server basis:
- As zimbra user:
zmcontrol stop
- As root:
cd /tmp wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh chmod a+rx zmopenssl-updater.sh ./zmopenssl-updater.sh
- As zimbra user:
zmcontrol start
After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:
openssl version
On an 8.0.7 patched system the result should be:
zimbra$ openssl version OpenSSL 1.0.1h 5 Jun 2014
Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.
Continue to the next server and repeat the patch process.
Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.
Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.
Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.
Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability
Overview
Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:
- http://heartbleed.com
- https://www.openssl.org/news/secadv_20140407.txt
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.
Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.
The patch is located here:
The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
- ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
- ZCA versions 8.0.3 or 8.0.4
Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.
Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.
Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.
Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:
- RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected
- SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected
Patching
The steps to patch are the following:
(as root)
1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh
---------------------
[Generates the following output]
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol
restart
---------------------
(as user zimbra)
4) su - zimbra
5) zmcontrol restart[/CODE]
Manual Patching
If you don’t have Internet access, manually installing the patch would require the following steps:
1) Download the appropriate openssl build:
(as root)
cd /tmp
wget the correct version, from this list:
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz
The MD5 files are also available for verification purposes, here:
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum
- http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum
(as root)
2) cd /opt/zimbra
3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart
4) tar xfz /tmp/openssl-NEWVERSION.tgz
(as user zimbra)
5) su - zimbra
6) zmcontrol restart
Zimbra Collaboration 8.0.7 Builds
Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.
If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:
- Network Edition: http://www.zimbra.com/products/download-network.html
- Open-Source Edition: http://www.zimbra.com/products/download-opensource.html
In short:
- If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -> Vulnerable, you would still need the OpenSSL patch: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html
- If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -> Not Vulnerable, no patch required
OpenSSL Patch Update for ZCS 8.0.3 Only
If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.
Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.
Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")
Please use the test methods below to confirm.
Testing
There are a few ways you can confirm if your system is vulnerable:
1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:
- http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz - the build number here is "6021"
2. If running ZCS 8.0.7, check zmcontrol for the build number:
# su - zimbra
$ zmcontrol -v
Release 8.0.7_GA_6021.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.
3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:
Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
dtls1_heartbeat
$
Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
$
Please let Zimbra know promptly if any problems or questions.
Urgency on Security Fixes for Bug 80338 and Bug 84547
Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation
- Bug 80338: Privilege Escalation via LFI
- CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091
- Affected versions: 7.2.2 and 8.0.2 and all previous releases
Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):
- Bug 84547: XXE (CWE-611)
- CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217
- Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series
There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:
And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:
As noted, there are patches and upgrades available here:
- http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events
- Critical Security Patches posted for 8.0.X/7.2.X
- Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases
Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.
Welcome to the Zimbra Security Group
Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.
Zimbra Security Center
Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.
"Watch" the Security Center pages to stay updated on Zimbra security related news.
Zimbra Support
Open a new Support Ticket or check your opening ones. For questions on becoming a supported Zimbra customer, please contact us.
Zimbra Product Releases
Go to our Zimbra Product Releases page for details about each release, including:
- Release Notes
- Patch Information
- Documents in PDF format
- Documents in ePub format
- Complete Bugzilla reports