https://wiki.zimbra.com/api.php?action=feedcontributions&user=Plobbes&feedformat=atom
Zimbra :: Tech Center - User contributions [en]
2024-03-29T07:06:17Z
User contributions
MediaWiki 1.39.0
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66553
Security Center
2019-09-06T13:07:30Z
<p>Plobbes: added notes for release 8.8.15 Patch 1 - CVE-2019-12427 / Bug 109174; CVE-2019-15313 / Bug 109141</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.15 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P1 8.8.15 Patch 1]<br />
was released on August 28, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-12427 CVE-2019-12427] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109174 Bug 109174] - Non-Persistent XSS - admin console ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-15313 CVE-2019-15313] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109141 Bug 109141] - Non-Persistent XSS - web client ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> September 6, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P11 8.7.11 Patch 11],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P8 8.8.10 Patch 8] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P4 8.8.11 Patch 4]<br />
were released on April 15, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
</ul><br />
<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1 ZCS 8.8.12 Patch 1] was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109117 Bug 109117] - Persistent XSS - Drive ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 15, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.12 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]<br />
was released on April 1, 2019 . The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)<br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66513
Zimbra Security Advisories
2019-08-21T18:23:52Z
<p>Plobbes: updated 109141 with CVE-ID CVE-2019-15313</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109174 109174]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2019-12427 CVE-2019-12427] </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.8.15 Patch 1 </td><br />
<td>Meridian Miftari</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109141 109141]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-15313 CVE-2019-15313]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.8.15 Patch 1 </td><br />
<td>Quang Bui</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Van Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66512
Zimbra Security Advisories
2019-08-21T15:48:54Z
<p>Plobbes: Added 109141 - fixed in 8.8.15 P1 (CVE-ID TBD) ; Added CVE-2019-12427 to 109174</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109174 109174]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap> [https://nvd.nist.gov/vuln/detail/CVE-2019-12427 CVE-2019-12427] </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.8.15 Patch 1 </td><br />
<td>Meridian Miftari</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109141 109141]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap><!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> - </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.8.15 Patch 1 </td><br />
<td>Quang Bui</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Van Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66348
Zimbra Security Advisories
2019-05-28T15:35:25Z
<p>Plobbes: added bug 109174 with Meridian Miftarii</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109174 109174]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap><!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> - </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Meridian Miftari</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Van Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66347
Zimbra Security Center Acknowledgements
2019-05-28T14:26:11Z
<p>Plobbes: added Meridian Miftarii for bug 109174</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2019</th></tr><br />
<br />
<tr><br />
<td>'''Meridian Miftarii'''</td><br />
<td>https://www.linkedin.com/in/meridiann/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Pethuraj M'''</td><br />
<td>https://www.pethuraj.in/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''SMII Mondher'''</td><br />
<td>https://twitter.com/smii_mondher</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Mohammed Israil'''</td><br />
<td>https://twitter.com/mdisrail2468</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66344
Zimbra Security Advisories
2019-05-22T14:20:42Z
<p>Plobbes: Name update - Khanh Van Pham</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Van Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66343
Zimbra Security Center Acknowledgements
2019-05-20T15:38:18Z
<p>Plobbes: added Pethuraj M for web property related findings</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2019</th></tr><br />
<br />
<tr><br />
<td>'''Pethuraj M'''</td><br />
<td>https://www.pethuraj.in/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''SMII Mondher'''</td><br />
<td>https://twitter.com/smii_mondher</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Mohammed Israil'''</td><br />
<td>https://twitter.com/mdisrail2468</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66300
Zimbra Security Center Acknowledgements
2019-04-19T03:46:37Z
<p>Plobbes: added SMII Mondher for bug 109117 / CVE-2019-11318</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2019</th></tr><br />
<br />
<tr><br />
<td>'''SMII Mondher'''</td><br />
<td>https://twitter.com/smii_mondher</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Mohammed Israil'''</td><br />
<td>https://twitter.com/mdisrail2468</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66299
Zimbra Security Advisories
2019-04-19T03:40:49Z
<p>Plobbes: added nowrap for some CVE-ID td</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td nowrap>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66298
Security Center
2019-04-19T03:38:51Z
<p>Plobbes: added CVE-2019-11318 for 109117</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P11 8.7.11 Patch 11],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P8 8.8.10 Patch 8] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P4 8.8.11 Patch 4]<br />
were released on April 15, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
</ul><br />
<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1 ZCS 8.8.12 Patch 1] was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109117 Bug 109117] - Persistent XSS - Drive ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 15, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.12 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]<br />
was released on April 1, 2019 . The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)<br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.12/P1&diff=66297
Zimbra Releases/8.8.12/P1
2019-04-19T03:37:37Z
<p>Plobbes: added CVE-2019-11318 for 109117</p>
<hr />
<div>{{WIP}}<br />
<ol class='breadcrumb'><br />
<li>[[Main Page|Zimbra Wiki]]</li><br />
<li>[[Zimbra Releases]]</li><br />
<li class='active'>Zimbra Collaboration Isaac-Newton-8.8.12-Patch1 GA Release</li></ol><br />
<br />
__FORCETOC__<br />
<div class='col-md-12'><br />
<div class='col-md-9'><br />
<h1><span id='release-note' class='mw-headline'>Zimbra Collaboration Isaac-Newton-8.8.12-Patch1 GA Release</span></h1><br />
<br />
<div class='col-md-9'><p>Check out the <b>[[#Security Fixes|Security Fixes]], [[#fixed|Fixed Issues]], [[#ng-changelog|Zimbra NG Changelog]] </b> for this version of Zimbra Collaboration. As always, you are encouraged to tell us what you think in the Forums, o open a support ticket to report issues.</p><br />
<div class='alert alert-dark fade in'> <p><b>NOTE: If you are upgrading and/or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read [https://wiki.zimbra.com/wiki/Zimbra_Next_Generation_Modules/Things_To_Know_Before_Upgrading Things to Know Before Upgrading] and [https://wiki.zimbra.com/wiki/Zimbra_Next_Generation_Modules/First_Steps_with_the_Zimbra_NG_Modules First Steps with the Zimbra NG Modules] for critical information before you upgrade.</b></p></div><br />
<h1><span id='Security_Fixes' class='mw-headline'>Security Fixes</span></h1><br />
<p>Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details. You can also refer to the [https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories Security Vulnerability Advisories] register.</p><br />
<br />
<table class='table table-striped table-condensed'><tr><th style='background-color: #f15922; width: 80px;'><span style='color: #ffffff;'>Bug#</span></th><th style='background-color: #f15922;'><span style='color:#ffffff;'>Summary</span></th><th style='background-color: #f15922;'><span style='color: #ffffff;'><strong>CVE-ID</strong></span></th><th style='background-color: #f15922;'><span style='color: #ffffff;'><strong>CVSS<br>Score</strong></span></th><th style='text-align: center; background-color: #f15922;'><span style='color: #ffffff;'><strong>Zimbra<br>Rating</strong></span></th><th style='text-align: center; background-color: #f15922;'><span style='color: #ffffff;'>Fix&nbsp;Patch <br>Version</span></th></tr><br />
<br />
<tr><br />
<td class='col-md-1' style='width:10%;'>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117] </td><td class='col-md-1' style='width:67%;'>Persistent XSS - Drive [CWE-79]</td><td class='col-md-1' style='text-align:left; width:10%'>CVE-2019-11318</td><td class='col-md-1' style='text-align:center; width:4%'>3.5</td><td class='col-md-1' style='text-align:center; width:4%'>Minor</td><td class='col-md-1' style='text-align:center; width:5%'>8.8.12 P1</td></tr><br />
</table><br />
<table class='table table-striped table-condensed' style='margin-top: 0px><tr><th colspan='2' class='info'><h4><span class='mw-headline' id='fixed'><div>Fixed Issues</div></span></h4></th></tr><tr><td class='col-md-1'><strong>Area</strong></td><td class='col-md-1'><strong>Description</strong></td></tr><tr><br />
<td class='col-md-1' style='width:5%;'>Platform</td><br />
<td class='col-md-1' style='text-align:left;width:78%'>After an upgrade to 8.8.12, IMAP users are unable to access folders with names containing non-ASCII characters. This is fixed in 8.8.12 P1.</td><br />
</tr><br />
</table><br />
<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1">'''Docs:'''<br />
* Preview issue with Chinese filenames in mail<br />
* Docs now handle file with name longer than 255 bytes<br />
* Docs preview is working from email if the attachment filename in not encoded<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Fixed error handling in the restore wizard if the date is not correct<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Fixed appointment syncing between android devices and Zimbra account which previously shifted by 1 hour<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Backup:'''<br />
* Fixed restore operation when target account does not exists <br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Zimlet:'''<br />
* Items remains selected after changing view<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Server:'''<br />
* Drive will now work on multiple server environment<br />
* cleanup service errors<br />
* Shares preserved on multiple server environment<br />
* Fixed inconsistent data in Drive share cluster service<br />
</td></tr><br />
</table><br />
<br />
=Patch Installation=<br />
<div id='installation'></div><br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages.<br />
<br />
===8.8.12 Patch 1 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.12.1554985662.p1-1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
zimbra-common-core-jar -> 8.8.12.1554873515-1<br />
zimbra-proxy-components -> 1.0.3-1zimbra8.7b1<br />
zimbra-nginx -> 1.7.1-1zimbra8.7b12<br />
zimbra-proxy-patch -> 8.8.12.1554984827.p1-1<br />
zimbra-drive -> 1.0.12.1553795496-1 <br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.12.1554985662.p1-2<br />
zimbra-network-modules-ng -> 5.0.3.1553791408-1<br />
zimbra-docs -> 3.0.0.1544425929-1<br />
zimbra-drive-ng -> 2.0.3.1553795769-1<br />
zimbra-talk -> 4.0.2.1554992028-1<br />
<br />
Please refer below steps for 8.8.12 Patch 1 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id='install'><br />
'''Install/Upgrade zimbra-proxy-components on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum clean metadata<br />
yum check-update<br />
yum install zimbra-proxy-components<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
'''Install/Upgrade zimbra-proxy-patch on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum install zimbra-proxy-patch<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
zmmemcachedctl restart<br />
<br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su - zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
</div><br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command.<br />
yum install zimbra-chat<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command.<br />
yum clean metadata<br />
yum check-update<br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command.<br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command.<br />
yum install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 8810 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su - zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id='install2'><br />
'''Install/Upgrade zimbra-proxy-components on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get install zimbra-proxy-components<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
'''Install/Upgrade zimbra-proxy-patch on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get install zimbra-proxy-patch<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
zmmemcachedctl restart<br />
<br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su - zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command.<br />
apt-get install zimbra-chat<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command.<br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command.<br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command.<br />
apt-get install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su - zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository<br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR<br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su - zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div><br />
<h1><span class='mw-headline' id='Quick_note:_Open_Source_repo'>Quick note: Open Source repo</span></h1><p>Downloading and building our Zimbra Code? Keep reading... Starting ZCS 8.7.6 and above we have new steps to download, build and see our code via Github:</p><ul><li>[https://github.com/Zimbra/zm-build https://github.com/Zimbra/zm-build]</li></ul></div><br />
</div><div class='col-md-3'>{{GuidePosts}}</div><br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66296
Zimbra Security Advisories
2019-04-18T20:01:28Z
<p>Plobbes: added CVE-ID CVE-2019-11318 for bug 109117</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-11318 CVE-2019-11318]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66293
Security Center
2019-04-17T04:17:22Z
<p>Plobbes: Fix link for 8.8.12/P1</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P11 8.7.11 Patch 11],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P8 8.8.10 Patch 8] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P4 8.8.11 Patch 4]<br />
were released on April 15, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
</ul><br />
<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12/P1 ZCS 8.8.12 Patch 1] was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 Bug 109117] - Persistent XSS - Drive ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 15, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.12 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]<br />
was released on April 1, 2019 . The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)<br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66284
Zimbra Security Advisories
2019-04-15T04:30:45Z
<p>Plobbes: ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> 8.8.12 Patch 1 </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.7.11 Patch11 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch8 <br /> 8.8.11 Patch4 <br /> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.9 Patch10 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1 <br /> 8.8.12</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2 <br /> 8.8.11 </td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66283
Security Center
2019-04-15T04:21:25Z
<p>Plobbes: ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 11, 8.8.9 Patch 10, 8.8.10 Patch 8, 8.8.11 Patch 4 and 8.8.12 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P11 8.7.11 Patch 11],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P8 8.8.10 Patch 8] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P4 8.8.11 Patch 4]<br />
were released on April 15, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
</ul><br />
<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P10 8.8.9 Patch 10],<br />
adds one additional security fix (which is already included in earlier updates of the other releases mentioned above):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> ZCS<br />
ZCS 8.8.12 Patch 1 was also released on April 15, 2019. The fixes mentioned above were in the initial release for 8.8.12, but this patch adds one additional security fix:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 Bug 109117] - Persistent XSS - Drive ([https://cwe.mitre.org/data/definitions/79.html CWE-79])</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 15, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.12 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]<br />
was released on April 1, 2019 . The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)<br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66249
Zimbra Security Advisories
2019-04-10T14:29:42Z
<p>Plobbes: add/update links for CVE-IDs</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10948 CVE-2018-10948]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-5721 CVE-2016-5721]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3999 CVE-2016-3999]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-4019 CVE-2016-4019]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3406 CVE-2016-3406]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3407 CVE-2016-3407]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3412 CVE-2016-3412]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3413 CVE-2016-3413]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3405 CVE-2016-3405]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3404 CVE-2016-3404]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3410 CVE-2016-3410]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3411 CVE-2016-3411]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3409 CVE-2016-3409]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3415 CVE-2016-3415]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3414 CVE-2016-3414]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3408 CVE-2016-3408]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3401 CVE-2016-3401]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-3402 CVE-2016-3402]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7609 CVE-2015-7609]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2249 CVE-2015-2249]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-2230 CVE-2015-2230]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-8563 CVE-2014-8563]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-6541 CVE-2015-6541]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2014-5500 CVE-2014-5500]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66239
Zimbra Security Advisories
2019-04-03T15:14:50Z
<p>Plobbes: 8.8.12 release includes SSRF fixes for CVE-2019-9621 and CVE-2019-6981</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> 8.8.12 </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66238
Security Center
2019-04-03T15:11:49Z
<p>Plobbes: 8.8.12 release includes SSRF fixes and 3rd party package updates</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.12 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.12 8.8.12]<br />
was released on April 1, 2019 . The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109127 Bug 109127] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918] [https://cwe.mitre.org/data/definitions/807.html CWE-807])</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109096 Bug 109096] - SSRF ([https://cwe.mitre.org/data/definitions/918.html CWE-918])</li><br />
<li> Upgrades to the following 3rd party packages were also included: Apache (2.4.38) and PHP (7.3.1)<br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> April 3, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66215
Security Center
2019-03-19T14:44:43Z
<p>Plobbes: add notes about 8.6.0 Patch 13</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to 8.6.0 Patch 13 <br /><br />
↳ Please plan to upgrade to a supported version as other security fixes have not been backported. </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible! </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 and 8.6.0 Patch 13 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019 and [https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P13 8.6.0 Patch 13] was released on March 19, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 19, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66211
Security Center
2019-03-18T18:56:56Z
<p>Plobbes: add a reference and short summary to the blog post "Recent Zimbra XXE / SSRF Vulnerability Disclosures"</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Recent Zimbra XXE / SSRF Vulnerability Disclosures</h4><br />
<div class="row"><br />
<p class="text-justify"> We published a [https://blog.zimbra.com/2019/03/9826/ blog post] regarding recent Zimbra XXE / SSRF vulnerabilities [https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html disclosed] by <b>An Phuoc Trinh</b>, of Viettel Cyber Security. In short:<br />
<ul><br />
<li> ZCS 8.8 - upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3 </li><br />
<li> ZCS 8.7 (LTS) - upgrade to 8.7.11 Patch 10 </li><br />
<li> ZCS 8.6 (unsupported) - upgrade to Patch 13 which is scheduled for release 19 March </li><br />
<li> ZCS earlier versions - upgrade to a supported version as soon as possible </li><br />
</ul><br />
</p><br />
<p>See the blog post for a few additional details: [https://blog.zimbra.com/2019/03/9826/ Recent Zimbra XXE / SSRF Vulnerability Disclosure].</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66210
Security Center
2019-03-18T17:31:57Z
<p>Plobbes: add note about ZCS 8.7.11 Patch 10 release with fix for CVE-2019-9670 / Bug 109129</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 10 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10 8.7.11 Patch 10]<br />
was released on March 18, 2019. The releases includes security fixes for (8.8.x versions are not affected by this vulnerability):<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 Bug 109129] - XXE ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 18, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66204
Zimbra Security Advisories
2019-03-15T03:16:53Z
<p>Plobbes: added Khanh Viet Pham to CVE-2019-9670</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>Khanh Viet Pham <br /> An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66203
Zimbra Security Advisories
2019-03-14T20:55:04Z
<p>Plobbes: updated CVE-2018-20160 to note failure to backport to 8.7.x</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.x see [https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129] above <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66199
Zimbra Security Advisories
2019-03-12T18:40:35Z
<p>Plobbes: </p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66198
Zimbra Security Advisories
2019-03-12T18:37:28Z
<p>Plobbes: - upgraded CVE-2016-9924 to Major / CVSSv2 scoring of 5.8</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66196
Zimbra Security Advisories
2019-03-11T21:23:06Z
<p>Plobbes: - updates for security bugs in queue</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p> <b>Note</b>: <u>only supported versions are referenced</u>, however older unsupported versions often have the same vulnerabilities and should be upgraded to supported versions as soon as possible. <br /> <em>(going back to ZCS 7.1.3)</em></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109127 109127]</td><br />
<td>SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918] / [https://cwe.mitre.org/data/definitions/807.html CWE-807]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9621 CVE-2019-9621]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109124 109124]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8947 CVE-2019-8947]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109123 109123]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8946 CVE-2019-8946]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109122 109122]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-8945 CVE-2019-8945]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109117 109117]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td> - <!-- [https://nvd.nist.gov/vuln/detail/CVE-2019-xxxx CVE-2019-xxxx] --> </td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>Mondher Smii</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109129 109129]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611] <br />(8.7.x only)</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-9670 CVE-2019-9670]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch10</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66194
Zimbra Security Advisories
2019-03-08T21:53:18Z
<p>Plobbes: add description info for 104477, 103996, 102276, 102227, 99810, 99167</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<!--<br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
--><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td>Open Redirect [https://cwe.mitre.org/data/definitions/601.html CWE-601]</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>XXE (Admin) [https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>Deserialization of Untrusted Data [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td>[https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66191
Security Center
2019-03-08T15:00:57Z
<p>Plobbes: - updated CVE-2019-6980 to 5.4 after discussions, added note here to highlight that change</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br /><br />
Please note, the rating has been upgraded to "<b>major</b>" as the original scoring did not cover all potential available attack vectors.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <i class="fa fa-calendar"></i> March 8, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.11/P3&diff=66190
Zimbra Releases/8.8.11/P3
2019-03-08T14:52:53Z
<p>Plobbes: - updated CVE-2019-6980 to 5.4 after discussions</p>
<hr />
<div><br />
=Zimbra Collaboration 8.8.11 Patch 3 GA Release=<br />
<br />
<div class="col-md-9"><br />
Check out the'''"[[#security|Security Fixes]]"''', '''"[[#fixed|Fixed Issues]]"''','''"[[#ng-changelog|Zimbra NG Changelog]]"''' for this version of Zimbra Collaboration. Please refer '''"[[#installation|Patch Installation]]"''' section for Patch Installation instructions. As always, you’re encouraged to tell us what you think in the Forums, or open a support ticket to report issues.<br />
<br />
=Security Fixes=<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization - IMAP [CWE-502]</td><br />
<td>CVE-2019-6980</td><br />
<td style="text-align: center; ">5.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.8.11 Patch 3</td><br />
</tr><br />
</table><br />
<br />
=Software changes=<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="fixed">Fixed Issues </div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1"><br />
* Fixed issue where Proxies do not failover to the next mailbox server if the server is hung<br />
* Fixed an issue with viewing HTML emails in chrome 73<br />
* Fixed login issue in ajax client on Edge 44 browser<br />
* Fixed the issue where web Client doesn't display PDF files attached to mails sent with Apple Mail <br />
* zimbraMtaBlockedExtension is now working when sending a file with trailing spaces<br />
</td></tr><br />
<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1">'''Docs:'''<br />
* Preview issue with Chinese filenames in mail<br />
* Docs now handle file with name longer than 255 bytes<br />
* Docs preview is working from email if the attachment filename in not encoded<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Fixed error handling in the restore wizard if the date is not correct<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Fixed appointment syncing between android devices and Zimbra account which previously shifted by 1 hour<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Backup:'''<br />
* Fixed restore operation when target account does not exists <br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Zimlet:'''<br />
* Items remains selected after changing view<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Server:'''<br />
* Drive will now work on multiple server environment<br />
* cleanup service errors<br />
* Shares preserved on multiple server environment<br />
* Fixed inconsistent data in Drive share cluster service<br />
</td></tr><br />
</table><br />
<br />
=Patch Installation=<br />
<div id="installation"></div><br />
<font color="blue">'''Note on fixes in this Patch: '''</font><font color = "red">'''Please read this section'''</font> before proceeding with Patch3 installation.<br />
* This patch includes fixes '''on MTA and Proxy'''. <br />
* Latest core packages can be installed by installing zimbra-patch package.<br />
* As proxy package is add on package, it should be installed only on Proxy node. Zimbra version checked on Proxy node with "zmcontrol -v" command will show version as 'Patch 8.8.11_P3 Proxy'. Similarly, MTA patch is add on package, it should be installed only on MTA node and version can be checked with "zmcontrol -v". Command will show version as 'Patch 8.8.11_P3 mta'.<br />
* If Proxy/MTA services are on mailbox node, admin can install mta and proxy patches first and then zimbra-patch. In this case, "zmcontrol -v" would show version as 'Patch 8.8.11_P3'. <br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages. <br />
<br />
===8.8.11 Patch 3 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.11.1551122329.p3-1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
zimbra-common-core-jar -> 8.8.11.1550743200-1<br />
zimbra-proxy-components -> 1.0.3-1zimbra8.7b1<br />
zimbra-nginx -> 1.7.1-1zimbra8.7b12<br />
zimbra-mta-patch -> 8.8.11.1551122329.p3<br />
zimbra-proxy-patch -> 8.8.11.1550839189.p3<br />
zimbra-mbox-webclient-war -> 8.8.11.1550576235-1<br />
<br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.11.1551122329.p3-2<br />
zimbra-network-modules-ng -> 4.0.4.1550760692<br />
zimbra-zco -> 8.8.11.1.0.0.1546517612-1<br />
zimbra-docs -> 3.0.0.1544425929-1<br />
zimbra-drive-ng -> 1.0.7.1550251415-1<br />
<br />
Please refer below steps for 8.8.11 Patch 3 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<br />
==== 1. Installing zimbra packages individually ====<br />
<br />
<br />
<div id="install"><br />
'''Install/Upgrade zimbra-proxy-components on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-proxy-components<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
'''Install/Upgrade zimbra-proxy-patch on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum install zimbra-proxy-patch<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
zmmemcachedctl restart<br />
<br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
</div><br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command. <br />
yum install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 8810 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install2"><br />
'''Install/Upgrade zimbra-proxy-components on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get update<br />
apt-get install zimbra-proxy-components<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
<br />
'''Install/Upgrade zimbra-proxy-patch on Proxy node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get update<br />
apt-get install zimbra-proxy-patch<br />
* Restart proxy as zimbra user<br />
su - zimbra<br />
zmproxyctl restart<br />
zmmemcachedctl restart<br />
<br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command. <br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command. <br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command. <br />
apt-get install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository <br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR <br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.10/P7&diff=66189
Zimbra Releases/8.8.10/P7
2019-03-08T14:52:34Z
<p>Plobbes: - updated CVE-2019-6980 to 5.4 after discussions</p>
<hr />
<div><br />
=Zimbra Collaboration 8.8.10 Patch 7 GA Release=<br />
<br />
<div class="col-md-9"><br />
Check out the '''"[[#security|Security Fixes]]"''','''"[[#fixed|Fixed Issues]]"''', '''"[[#ng-changelog|Zimbra NG Changelog]]"''' for this version of Zimbra Collaboration. Please refer '''"[[#installation|Patch Installation]]"''' section for Patch Installation instructions. Also, check '''"[[#nginxfix|Nginx Bug Fix]]"''' for the recent Nginx bug fix. As always, you’re encouraged to tell us what you think in the Forums, or open a support ticket to report issues.<br />
<br />
=Security Fixes=<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization - IMAP [CWE-502]</td><br />
<td>CVE-2019-6980</td><br />
<td style="text-align: center; ">5.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.8.10 Patch 7</td><br />
</tr><br />
</table><br />
<br />
=Software changes=<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="fixed">Fixed Issues</div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1"><br />
* Fixed an issue with viewing HTML emails in chrome 73<br />
* Fixed login issue in ajax client on Edge 44 browser<br />
* zimbraMtaBlockedExtension is now working when sending a file with trailing spaces<br />
</td></tr><br />
<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Fixed error handling in the restore wizard if the date is not correct<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Fixed appointment syncing between android devices and Zimbra account which previously shifted by 1 hour<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Backup:'''<br />
* Fixed restore operation when target account does not exists <br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Zimlet:'''<br />
* Items remains selected after changing view<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Drive Server:'''<br />
* Fixed inconsistent data in Drive share cluster service<br />
</td></tr><br />
</table><br />
<br />
=Patch Installation=<br />
<div id="installation"></div><br />
<font color="blue">'''Note on fixes in this Patch: '''</font><font color = "red">'''Please read this section'''</font> before proceeding with Patch7 installation.<br />
* This patch includes fixes '''on MTA'''. <br />
* Latest core packages can be installed by installing zimbra-patch package.<br />
* MTA patch is add on package, it should be installed only on MTA node and version can be checked with "zmcontrol -v". Command will show version as 'Patch 8.8.10_P7 mta'.<br />
* If MTA services are on mailbox node, admin can install mta patch first and then zimbra-patch. In this case, "zmcontrol -v" would show version as 'Patch 8.8.10_P7'. <br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages. <br />
<br />
===8.8.10 Patch 7 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.10.1551121351.p7-1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
zimbra-common-core-jar -> 8.8.10.1550743009-1<br />
zimbra-mbox-webclient-war -> 8.8.10.1550576405-1<br />
zimbra-network-store -> 8.8.10.1542096286-1<br />
zimbra-ldap-components -> 1.0.2-1zimbra8.7b1<br />
zimbra-drive -> 1.0.12.1542291479<br />
zimbra-mta-patch -> 8.8.10.1551121351.p7<br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.10.1551121351.p7-2<br />
zimbra-network-modules-ng -> 3.0.7.1550249955-1<br />
zimbra-docs -> 2.0.2.1542045176-1<br />
zimbra-talk -> 3.0.3.1540571542-1<br />
zimbra-drive-ng -> 1.0.3.1548323480-1<br />
<br />
Please refer below steps for 8.8.10 Patch 7 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install"><br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
</div><br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
After installing zimbra-drive-ng package on machine already having old drive, we can see two tabs with same name "Drive" corresponding to open drive and latest drive. This is known issue and we are working on it.<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 8810 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install2"><br />
'''Install/Upgrade zimbra-mta-patch on MTA node for FOSS and NETWORK'''<br />
* As root. Type below command<br />
apt-get update<br />
apt-get install zimbra-mta-patch<br />
* Restart amavisd as zimbra user<br />
su - zimbra<br />
zmamavisdctl restart<br />
<br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command. <br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command. <br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
After installing zimbra-drive-ng package on machine already having open drive, we can see two tabs with same name "Drive" corresponding to open drive and latest drive. This is known issue and we are working on it.<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type below command:<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository <br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR <br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div><br />
<br />
<div id="nginxfix"><br />
==Nginx Bug Fix==<br />
We have fixed critical Proxy/Nginx bug where Proxy does not failover correctly in certain conditions. This fix is in zimbra-nginx package which is not available with this Patch installation. To get latest zimbra-nginx package, please follow steps from wiki https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/nginx_hotfix</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.7.11/P9&diff=66188
Zimbra Releases/8.7.11/P9
2019-03-08T14:52:05Z
<p>Plobbes: - updated CVE-2019-6980 to 5.4 after discussions</p>
<hr />
<div><br />
<ol class="breadcrumb"><br />
<li>[[Main Page|Zimbra Wiki]]</li><br />
<li>[[Zimbra Releases]]</li><br />
<li class="active">Zimbra Collaboration 8.7.11 Patch 9</li><br />
</ol><br />
__FORCETOC__<br />
<div class="col-md-12"><br />
<div class="col-md-9"><br />
<br />
=Zimbra Collaboration 8.7.11 Patch 9 GA Release=<br />
<br />
Check out the '''"[[#fixed|Fixed Issues]]"''' and '''"[[#security|Security Fixes]]"''' for this version of Zimbra Collaboration below. Also, check '''"[[#nginxfix|Nginx Bug Fix]]"''' for the recent Nginx bug fix. As always, you’re encouraged to tell us what you think in the '''[https://forums.zimbra.org/ Forum]''', or open a support ticket.<br />
<br />
<div class="col-md-9"><br />
<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="fixed">Fixed Issues</div></h4></th><br />
</tr><br />
<tr><td class="col-md-10">Fixed an issue with viewing HTML emails in chrome 73</td></tr><br />
<tr><td class="col-md-10">Fixed login issue in ajax client on Edge 44 browser</td></tr><br />
</table><br />
<br />
==Security Fixes==<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td> Bug 109097 - Insecure object deserialization - IMAP [CWE-502] </td><br />
<td>CVE-2019-6980</td><br />
<td style="text-align: center; ">5.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.7.11 Patch9</td><br />
</tr><br />
</table><br />
<br />
<div id="nginxfix"><br />
==Nginx Bug Fix==<br />
We have fixed critical Proxy/Nginx bug where Proxy does not failover correctly in certain conditions. This fix is in zimbra-nginx package which is not available with this Patch installation. To get latest zimbra-nginx package, please follow steps from wiki https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/nginx_hotfix</div><br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Zimbra Collaboration patches can be found at https://www.zimbra.com/downloads/zimbra-collaboration/<br />
* Patches are cumulative, and delivered as a TGZ file.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
<br />
==Install the Patch ==<br />
Note: This patch should be installed '''only''' on '''all mailbox''' nodes running in your environment.<br />
<br />
'''1.''' Before you begin, confirm you have the following:<br />
* Zimbra Collaboration 8.7.11 GA installed<br />
* Zimbra Collaboration 8.7.11 Patch 9 TGZ file<br />
<br />
'''2.''' Copy the patch.tgz file(s) to your server.<br />
<br />
'''3.''' Install Zimbra Collaboration 8.7.11 Patch 9<br />
*a. Log in as root and cd to the directory where the tar file is saved. Type<br />
tar xzf zcs-patch-8.7.11_GA_XXX.tgz<br />
cd zcs-patch-8.7.11_GA_XXX<br />
* b. As root, install the patch. Type<br />
./installPatch.sh<br />
* c. Switch to user zimbra<br />
su – zimbra<br />
* d. ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
Please refer below steps for zimbra-chat package installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<div id="install"><br />
'''Install/Upgrade zimbra-chat on mailstore node for FOSS and NETWORK'''<br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
</div><br />
<br />
=== Ubuntu ===<br />
'''Install/Upgrade zimbra-chat on mailstore node for FOSS and NETWORK'''<br />
* As root, Type below command. <br />
apt-get update<br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
'''Note:''' For users who have the web-client open and are running the FOSS edition, the refresh notice might state that you have changed to the NETWORK Edition; however, your feature set will remain FOSS only.<br />
<br />
</div><br />
</div><br />
<div class="col-md-3">{{GuidePosts}}</div><br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66187
Zimbra Security Advisories
2019-03-08T14:39:19Z
<p>Plobbes: - updated CVE-2019-6980 to 5.4 after discussions</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<!--<br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
--><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:A/AC:M/Au:N/C:P/I:P/A:P) 5.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66181
Security Center
2019-03-04T22:16:42Z
<p>Plobbes: added special acknowledgement for An Trinh</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
<p class="text-justify"> A special thanks to <b>An Phuoc Trinh</b>, of Viettel Cyber Security, who has been going the extra mile to report his findings to us. His efforts are greatly appreciated!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66180
Security Center
2019-03-04T22:00:41Z
<p>Plobbes: bug 109097 fixed in 8.7.11 Patch9, 8.8.10 Patch7, 8.8.11 Patch3</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 9, 8.8.10 Patch 7 and 8.8.11 Patch 3 released</h4><br />
<div class="row"><br />
<p class="text-justify"> ZCS<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P9 8.7.11 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P7 8.8.10 Patch 7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P3 8.8.11 Patch 3]<br />
were released on March 4, 2019. The releases includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109097 Bug 109097] - Insecure object deserialization ([https://cwe.mitre.org/data/definitions/502.html CWE-502])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66179
Zimbra Security Advisories
2019-03-04T21:35:07Z
<p>Plobbes: bug 109097 fixed in 8.7.11 Patch9, 8.8.10 Patch7, 8.8.11 Patch3</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<!--<br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
--><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch9 <br /> 8.8.10 Patch7 <br /> 8.8.11 Patch3</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66154
Zimbra Security Center Acknowledgements
2019-02-26T22:13:12Z
<p>Plobbes: Updates for Jan/Feb 2019</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2019</th></tr><br />
<br />
<tr><br />
<td>'''Mohammed Israil'''</td><br />
<td>https://twitter.com/mdisrail2468</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66124
Security Center
2019-02-01T21:06:46Z
<p>Plobbes: ZCS 8.7.11 Patch 8</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch 8 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P8 ZCS 8.7.11 Patch 8]<br />
was released February 1, 2019. The release includes security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> February 1, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66117
Zimbra Security Advisories
2019-02-01T01:48:02Z
<p>Plobbes: 8.7.11 Patch8 being released with fixes for bugs 109093 and 109017</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<!--<br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
--><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch8 <br /> 8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66109
Zimbra Security Advisories
2019-01-28T21:21:10Z
<p>Plobbes: staging of bug 109097 / CVE-2019-6980 and bug 109096 CVE-2019-6981</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<!--<br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109096 109096]</td><br />
<td>Blind SSRF [https://cwe.mitre.org/data/definitions/918.html CWE-918]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6981 CVE-2019-6981]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:P/I:N/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109097 109097]</td><br />
<td>Insecure object deserialization [https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2019-6980 CVE-2019-6980]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td> - </td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
--><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66098
Security Center
2019-01-04T18:01:16Z
<p>Plobbes: 8.8.11 Patch1 includes fix for bug 109093</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 and 8.8.11 Patch 1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9],<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11/P1 ZCS 8.8.11 Patch 1]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
<ul><li>Note: this fix is already in the ZCS 8.8.11 release</li></ul><br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.11/P1&diff=66097
Zimbra Releases/8.8.11/P1
2019-01-04T17:53:17Z
<p>Plobbes: </p>
<hr />
<div>{{WIP}}<br />
<br />
=Zimbra Collaboration 8.8.11 Patch 1 GA Release=<br />
<br />
<div class="col-md-9"><br />
Check out the'''"[[#security|Security Fixes]]"''','''"[[#fixed|Fixed Issues]]"''', '''"[[#ng-changelog|Zimbra NG Changelog]]"''' for this version of Zimbra Collaboration. Please refer '''"[[#installation|Patch Installation]]"''' section for Patch Installation instructions. As always, you’re encouraged to tell us what you think in the Forums, or open a support ticket to report issues.<br />
<br />
=Security Fixes=<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE - Chat [CWE-611]</td><br />
<td>CVE-2018-20160</td><br />
<td style="text-align: center; ">6.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.8.11 Patch 1</td><br />
</tr><br />
</table><br />
<br />
=Software changes=<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="fixed">Fixed Issues </div></h4></th><br />
</tr><br />
<br />
<tr><td class="col-md-1">'''ZCO Fixes:'''<br />
* Introduced new functionality in logging > "Report Issue"<br />
* Logging: Warning displayed if windows update service is disabled<br />
</td></tr><br />
<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Fixed move operation on volume from primary server to secondary server<br />
* Commands for particular server will not be spread to all servers in admin console<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Chat Server:'''<br />
* Fixed Vulnerability: chat remote unauthenticated file read<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Fixed syncronization issue in contacts with a custom attribute named "Children"<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''HSM:'''<br />
* Fixed server prefix issue which was not set when creating s3scality volume<br />
</td></tr><br />
</table><br />
<br />
=Patch Installation=<br />
<div id="installation"></div><br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages. <br />
<br />
===8.8.11 Patch 1 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.11.1545987330.p1-1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
zimbra-drive-ng -> 1.0.5.1545373574-1<br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.11.1545987330.p1-2<br />
zimbra-network-modules-ng -> 4.0.1.1545151551-1<br />
zimbra-zco -> 8.8.11.1.0.0.1546517612-1<br />
<br />
Please refer below steps for 8.8.11 Patch 1 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
</div><br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command. <br />
yum install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 8810 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install2"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command. <br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command. <br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
<br />
* As root, Type below command. <br />
apt-get install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository <br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR <br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.9/P9&diff=66096
Zimbra Releases/8.8.9/P9
2019-01-04T17:52:39Z
<p>Plobbes: </p>
<hr />
<div>{{WIP}}<br />
<br />
=Zimbra Collaboration 8.8.9 Patch 9 GA Release=<br />
<br />
<div class="col-md-9"><br />
Check out the'''"[[#security|Security Fixes]]"''', '''"[[#ng-changelog|Zimbra NG Changelog]]"''' for this version of Zimbra Collaboration. Please refer '''"[[#installation|Patch Installation]]"''' section for Patch Installation instructions. As always, you’re encouraged to tell us what you think in the Forums, or open a support ticket to report issues.<br />
<br />
=Security Fixes=<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE - Chat [CWE-611]</td><br />
<td>CVE-2018-20160</td><br />
<td style="text-align: center; ">6.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.8.9 Patch 9</td><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-persistent XSS - Web Client (HTML Search) [CWE-79]</td><br />
<td>CVE-2018-14013</td><br />
<td style="text-align: center; ">4.3</td><br />
<td style="text-align: center; ">Minor</td><br />
<td style="text-align: center; ">8.8.9 Patch 9</td><br />
</tr><br />
</table><br />
<br />
=Software changes=<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Warning displayed to the user when he tried to add a global admin as delegated admin of a domain <br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Chat Server:'''<br />
* Fixed Vulnerability: chat remote unauthenticated file read<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Error returned when EAS incompatible with Microsoft connectivity tester & third-party MDM<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''HSM:'''<br />
* Fixed server prefix issue which was not set when creating s3scality volume<br />
</td></tr><br />
</table><br />
<br />
=Patch Installation=<br />
<div id="installation"></div><br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages. <br />
<br />
===8.8.9 Patch 9 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.9.1545398059.p9-1<br />
zimbra-common-core-jar -> 2.0.0.1542195008-1<br />
zimbra-mbox-webclient-war -> 2.0.0.1538676137-1<br />
zimbra-mbox-admin-console-war -> 2.0.0.1534256855-1<br />
zimbra-network-store -> 8.8.9.1531211951-1<br />
zimbra-ldap-components -> 1.0.2-1zimbra8.7b1<br />
zimbra-lmdb -> 2.4.46-1zimbra8.7b3<br />
zimbra-clamav -> 0.99.4-1zimbra8.7b1<br />
zimbra-clamav-libs -> 0.99.4-1zimbra8.7b1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.9.1545398059.p9-2<br />
zimbra-network-modules-ng -> 2.0.9.1545150213-1<br />
zimbra-docs -> 1.0.5.1542364951-1<br />
zimbra-talk -> 2.0.7.1540571349-1<br />
<br />
Please refer below steps for 8.8.9 Patch 9 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
</div><br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng'''<br />
<br/><br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install2"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type below command:<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
<br />
<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command. <br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect.Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command. <br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect.Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect.Type below command:<br />
zmmailboxdctl restart<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository <br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR <br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Releases/8.8.10/P5&diff=66095
Zimbra Releases/8.8.10/P5
2019-01-04T17:51:10Z
<p>Plobbes: </p>
<hr />
<div>{{WIP}}<br />
=Zimbra Collaboration 8.8.10 Patch 5 GA Release=<br />
<br />
<div class="col-md-9"><br />
Check out the'''"[[#security|Security Fixes]]"''', '''"[[#ng-changelog|Zimbra NG Changelog]]"''' for this version of Zimbra Collaboration. Please refer '''"[[#installation|Patch Installation]]"''' section for Patch Installation instructions. As always, you’re encouraged to tell us what you think in the Forums, or open a support ticket to report issues.<br />
<br />
=Security Fixes=<br />
<div id="security"></div><br />
Information about security fixes, security response policy and vulnerability rating classification are listed below. See the [https://wiki.zimbra.com/wiki/Zimbra_Security_Response_Policy Zimbra Security Response Policy] and the [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification Zimbra Vulnerability Rating] Classification information below for details.<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br>Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;"><strong>Zimbra<br>Rating</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br>Patch&nbsp;Version</span></th><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE - Chat [CWE-611]</td><br />
<td>CVE-2018-20160</td><br />
<td style="text-align: center; ">6.4</td><br />
<td style="text-align: center; ">Major</td><br />
<td style="text-align: center; ">8.8.10 Patch 5</td><br />
</tr><br />
<tr><br />
<td class="col-md-1">[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-persistent XSS - Web Client (HTML Search) [CWE-79]</td><br />
<td>CVE-2018-14013</td><br />
<td style="text-align: center; ">4.3</td><br />
<td style="text-align: center; ">Minor</td><br />
<td style="text-align: center; ">8.8.10 Patch 5</td><br />
</tr><br />
</table><br />
<br />
=Software changes=<br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th colspan="2" class="info"><h4><div id="ng-changelog">Zimbra NG Changelog</div></h4></th><br />
</tr><br />
<tr><td class="col-md-1">'''Admin Zimlet:'''<br />
* Warning displayed to the user when he tried to add a global admin as delegated admin of a domain<br />
* Enhancement to HSM page on admin console for primary storage management<br />
* Fixed exception on delete operation<br />
* Commands for particular server will not be spread to all servers in admin console<br />
* Fixed move operation on volume from primary server to secondary server<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Chat Server:'''<br />
* Fixed Vulnerability: chat remote unauthenticated file read<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Backup:'''<br />
* Fixed Restoring using legacy zmrestore, [BulkDelete] thread deletes entire store<br />
* Concurrent locking during SmartScan<br />
* Fixed redolog parsing<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Mobile:'''<br />
* Error returned when EAS incompatible with Microsoft connectivity tester & third-party MDM<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''HSM:'''<br />
* Fixed server prefix issue which was not set when creating s3scality volume<br />
</td></tr><br />
<br />
<tr><td class="col-md-1">'''Open Drive:'''<br />
* Added support for shared folders in NextCloud / OwnCloud to be displayed in Open Drive<br />
</td></tr><br />
<br />
</table><br />
<br />
=Patch Installation=<br />
<div id="installation"></div><br />
<br />
==Before Installing the Patch==<br />
Before installing the patch, consider the following:<br />
* Patches are cumulative.<br />
* A full backup should be performed before any patch is applied. There is no automated roll-back.<br />
* Zimlet patches can include removing existing Zimlets and redeploying the patched Zimlet.<br />
* Only files or Zimlets associated with installed packages will be installed from the patch.<br />
* Switch to user '''zimbra''' before using ZCS CLI commands.<br />
* '''Important!''' You cannot revert to the previous ZCS release after you upgrade to the patch.<br />
* '''Important Note for ZCS Setup with Local ZCS repository:''' Customers who have setup local ZCS repository should first update the local repository by following instructions in [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository#Keep_the_local_Repository_up_to_date wiki]<br />
<br />
==Install the Patch==<br />
* Please make note that, installing zimbra-patch package only updates the Zimbra core packages. <br />
<br />
===8.8.10 Patch 5 Packages===<br />
Below are the latest available packages:<br />
'''Package Name''' '''Version'''<br />
FOSS:<br />
zimbra-patch -> 8.8.10.1545398838.p5-1<br />
zimbra-chat -> 2.0.2.1546498111-1<br />
zimbra-common-core-jar -> 8.8.10.1542194734-1<br />
zimbra-mbox-webclient-war -> 8.8.10.1538673683-1<br />
zimbra-network-store -> 8.8.10.1542096286-1<br />
zimbra-ldap-components -> 1.0.2-1zimbra8.7b1<br />
zimbra-drive-ng -> 1.0.2.1542195756-1<br />
zimbra-drive -> 1.0.12.1542291479<br />
<br />
NETWORK:<br />
zimbra-patch -> 8.8.10.1545398838.p5-2<br />
zimbra-network-modules-ng -> 3.0.5.1545149989-1<br />
zimbra-docs -> 2.0.2.1542045176-1<br />
zimbra-talk -> 3.0.3.1540571542-1<br />
<br />
Please refer below steps for 8.8.10 Patch 5 installation on Redhat and Ubuntu platforms:<br />
<br />
===Redhat===<br />
<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type<br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
</div><br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum clean metadata <br />
yum check-update <br />
yum install zimbra-network-modules-ng<br />
yum install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
After installing zimbra-drive-ng package on machine already having old drive, we can see two tabs with same name "Drive" corresponding to open drive and latest drive. This is known issue and we are working on it.<br />
<br/><br />
* As root, Type below command. <br />
yum install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
yum install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command to clear yum cache<br />
yum clean metadata<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 8810 patch repository<br />
yum check-update<br />
* As root, type below command to update most available packages.<br />
yum update<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
=== Ubuntu ===<br />
==== 1. Installing zimbra packages individually ====<br />
<div id="install2"><br />
'''Install/Upgrade zimbra-patch on mailstore node for FOSS and NETWORK'''<br />
* As root, install the patch. Type<br />
apt-get update<br />
apt-get install zimbra-patch<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type<br />
zmcontrol restart<br />
<br />
'''Install/Upgrade zimbra-chat for FOSS'''<br />
* As root, Type below command. <br />
apt-get install zimbra-chat <br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
'''Install/Upgrade zimbra-talk and zimbra-network-modules-ng (NETWORK Only)'''<br />
<br/><br />
* As root. Type below command. <br />
apt-get update<br />
apt-get install zimbra-network-modules-ng<br />
apt-get install zimbra-talk<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br/><br />
<br />
'''Install/Upgrade zimbra-docs (NETWORK Only)'''<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-docs<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
<br />
<br/><br />
'''Install/Upgrade zimbra-drive-ng (Beta) (NETWORK Only)'''<br />
<br/><br />
After installing zimbra-drive-ng package on machine already having open drive, we can see two tabs with same name "Drive" corresponding to open drive and latest drive. This is known issue and we are working on it.<br />
<br/><br />
* As root, Type below command. <br />
apt-get install zimbra-drive-ng<br />
* Switch to user zimbra<br />
su – zimbra<br />
* Zimbra mailbox service must be restarted to changes to take effect. Type<br />
zmmailboxdctl restart<br />
zxsuite config global set attribute isDriveEnabledOnStartup value true<br />
zxsuite drive doStartService module<br />
<br />
'''Upgrade OpenLDAP on LDAP node for FOSS and NETWORK'''<br />
* As root. Type<br />
apt-get install zimbra-ldap-components<br />
* Restart ldap as zimbra user<br />
su - zimbra<br />
ldap restart<br />
<br />
==== 2. Installing zimbra packages with system package upgrades ====<br />
* As root, type below command first time so the server sees there is a new zimbra-patch package in the 889 patch repository <br />
apt-get update<br />
* As root, type below command to update most available packages<br />
apt-get upgrade<br />
OR <br />
* As root, type below command to update all available packages plus any kernel updates.<br />
apt-get dist-upgrade<br />
* Switch to user zimbra<br />
su – zimbra<br />
* ZCS must be restarted to changes to take effect. Type below command:<br />
zmcontrol restart<br />
</div></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66094
Zimbra Security Advisories
2019-01-04T17:48:53Z
<p>Plobbes: 8.8.11 Patch1 includes fix for bug 109093</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 Patch1</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66088
Security Center
2019-01-03T20:01:34Z
<p>Plobbes: ZCS 8.8.9 Patch 9, 8.8.10 Patch 5 : CVE-2018-20160 / Bug 109093; CVE-2018-14013 / Bug 109017</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<!--<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 9 and 8.8.10 Patch 5 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P9 ZCS 8.8.9 Patch 9]<br />
and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P5 ZCS 8.8.10 Patch 5]<br />
were released January 4, 2019. The releases include security fixes for:<br />
<ul><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109093 Bug 109093] - XXE - Chat ([https://cwe.mitre.org/data/definitions/611.html CWE-611])<br />
</li><br />
<li> [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 Bug 109017] - Non-persistent XSS - Web Client <br />
([https://cwe.mitre.org/data/definitions/79.html CWE 79])<br />
</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 4, 2019 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
--><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Advisories&diff=66087
Zimbra Security Advisories
2019-01-03T19:43:33Z
<p>Plobbes: 8.8.9 Patch9 and 8.8.10 Patch5 released with fix for bug 109017 and bug 109093</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Advisories==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
===Overview===<br />
<p>The following Security Vulnerabilities have been fixed and released in recent versions of Zimbra Collaboration software. For the latest release and patches, please be sure to update your Zimbra Collaboration servers with the software available on our Download pages:</p><br />
<ul><br />
<li>Zimbra Collaboration - Network Edition: https://www.zimbra.com/downloads/ne-downloads.html</li><br />
<li>Zimbra Collaboration - Open-Source Edition: https://www.zimbra.com/downloads/os-downloads.html</li><br />
</ul><br />
===Zimbra Collaboration - Security Vulnerability Advisories===<br />
<p><span style="font-size: medium;"><em>(going back to ZCS 7.1.3)</em></span></p><br />
<div class="col-md-12"><br />
<table class="table table-striped table-condensed"><br />
<tr><br />
<th style="background-color: #f15922; width: 80px;"><span style="color: #ffffff;">Bug#</span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Summary</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVE-ID</strong></span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;"><strong>CVSS<br />Score</strong></span></th><br />
<th style="text-align: center; background-color: #f15922;">[[Zimbra_Vulnerability_Rating_Classification|Zimbra<br />Rating]]<span style="color: #ffffff;"></span></th><br />
<th style="text-align: center; background-color: #f15922;"><span style="color: #ffffff;">Fix&nbsp;Release&nbsp;or <br />Patch&nbsp;Version</span></th><br />
<th style="background-color: #f15922;"><span style="color: #ffffff;">Reporter</span></th><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109093 109093]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-20160 CVE-2018-20160]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5</td><br />
<td>An Trinh</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109017 109017]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.9 Patch9 <br /> 8.8.10 Patch5 <br /> 8.8.11 </td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109020 109020]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch7 <br /> 8.8.10 Patch2</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109018 109018]</td><br />
<td>Non-Persistent [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch7 <br /> 8.8.9 Patch6 <br /> 8.8.10 Patch1</td><br />
<td>Issam Rabhi of Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109021 109021]</td><br />
<td>Limited Content Spoofing [https://cwe.mitre.org/data/definitions/345.html CWE-345]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.10</td><br />
<td>Sumit Sahoo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=109012 109012]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch6 <br /> 8.8.8 Patch9 <br /> 8.8.9 Patch3</td><br />
<td>Danielle Deibler</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108970 108970]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.8.8 Patch7 <br /> 8.8.9 Patch1</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108902 108902]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.11 Patch4 <br /> 8.8.8 Patch4</td><br />
<td>Diego Di Nardo</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108963 108963]</td><br />
<td>Verbose Error Messages [https://cwe.mitre.org/data/definitions/209.html CWE-209]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10950 CVE-2018-10950]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108962 108962]</td><br />
<td>Account Enumeration [https://cwe.mitre.org/data/definitions/203.html CWE-203]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10949 CVE-2018-10949]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Major</td><br />
<td>8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108894 108894]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/199.html CWE-199]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-10951 CVE-2018-10951]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:S/C:P/I:P/A:N) 3.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.8</td><br />
<td>Netragard</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97579 97579]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch2 <br /> 8.8.8 Patch1</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108786 108786]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch1 <br /> 8.8.7 <br /> 8.8.8</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=108265 108265]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.3</td><br />
<td>Veit Hailperin</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107963 107963]</td><br />
<td>Host header injection [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.8.0 Beta2</td><br />
<td>-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107948 107948] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=107949 107949]<br />
</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2018-10948</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.11 Patch3 <br /> 8.8.0 Beta2</td><br />
<td>Lucideus <br /> Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107925 107925]</td><br />
<td>Persistent XSS - snippet [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch9 <br /> 8.7.11 Patch1 <br /> 8.8.0 Beta2</td><br />
<td>Compass Security</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 107878]</td><br />
<td>Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-8783 CVE-2017-8783]</td><br />
<td>[https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.10</td><br />
<td>Stephan Kaag of Securify</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 107712]</td><br />
<td>Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6821 CVE-2017-6821]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Minor</td><br />
<td>8.7.6</td><br />
<td>Greg Solovyev, Phil Pearl</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 107684]</td><br />
<td>Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2017-6813 CVE-2017-6813]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:P/A:N) 4.0]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch9 <br /> 8.7.6</td><br />
<td>Greg Solovyev</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106811 106811]</td><br />
<td>Limited XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/vuln/detail/CVE-2016-9924 CVE-2016-9924]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch10 <br /> 8.7.4</td><br />
<td>Alastair Gray</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=106612 106612]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7288 CVE-2017-7288]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.1</td><br />
<td>Sammy Forgit</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=105001 105001] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105174 105174]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-5721</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Secu</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104552 104552] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104703 104703]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3999</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Nam Habach</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104477 104477]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/601.html CWE-601] -->-</td><br />
<td>CVE-2016-4019</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104294 104294] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104456 104456]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3406</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=104222 104222] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104910 104910] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105071 105071] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=105175 105175]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3407</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3] <br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:S/C:N/I:P/A:N) 2.1]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103997 103997] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104413 104413] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104414 104414] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104777 104777] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104791 104791]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3412</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103996 103996]</td><br />
<td>[https://cwe.mitre.org/data/definitions/611.html CWE-611]-</td><br />
<td>CVE-2016-3413</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103961 103961] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104828 104828]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3405</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103959 103959]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2016-3404</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103956 103956] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=103995 103995] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104475 104475] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104838 104838] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=104839 104839]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3410</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td> 8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=103609 103609]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3411</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102637 102637]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3409</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Peter Nguyen</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102276 102276]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>CVE-2016-3415</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227]</td><br />
<td>[https://cwe.mitre.org/data/definitions/502.html CWE-502]</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>8.7.0</td><br />
<td>Upstream, see <br /> CVE-2015-4852</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=102029 102029]</td><br />
<td>[https://cwe.mitre.org/data/definitions/674.html CWE-674]</td><br />
<td>CVE-2016-3414</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch7 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101813 101813]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2016-3408</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch11 <br /> 8.7.0</td><br />
<td>Volexity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=100885 100885] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100899 100899]</td><br />
<td>CSRF [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3403 CVE-2016-3403]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch8 <br /> 8.7.0</td><br />
<td>Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99810 99810]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/284.html CWE-284] [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3401</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99167 99167]</td><br />
<td><!-- [https://cwe.mitre.org/data/definitions/203.html CWE-203] -->-</td><br />
<td>CVE-2016-3402</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6]</td><br />
<td>Minor</td><br />
<td>8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101435 101435] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=101436 101436]</td><br />
<td>Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-7609</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]<br /> [https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.3]</td><br />
<td>Major</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Fortinet's FortiGuard Labs</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=101559 101559] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=100133 100133] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99854 99854] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=99914 99914] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=96973 96973]</td><br />
<td>XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:N/I:P/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5 <br /> 8.7.0</td><br />
<td>Zimbra</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=99236 99236]</td><br />
<td>XSS Vuln in YUI components in ZCS</td><br />
<td>n/a</td><br />
<td>4.3</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch5</td><br />
<td style="white-space:nowrap">Upstream, see <br /> CVE-2012-5881 <br /> CVE-2012-5882 <br /> CVE-2012-5883</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=98358 98358] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98216 98216] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=98215 98215]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2249</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2 <br /> 8.7.0</td><br />
<td>Cure53</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=97625 97625]</td><br />
<td>Non-Persistent XSS [https://cwe.mitre.org/data/definitions/79.html CWE-79]</td><br />
<td>CVE-2015-2230</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5]</td><br />
<td>Minor</td><br />
<td>8.6.0 Patch2</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=96105 96105]</td><br />
<td>Improper Input Validation [https://cwe.mitre.org/data/definitions/20.html CWE-20]</td><br />
<td>CVE-2014-8563</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.9 <br /> 8.5.1 <br /> 8.6.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83547 83547]</td><br />
<td>CSRF Vulnerability [https://cwe.mitre.org/data/definitions/352.html CWE-352]</td><br />
<td>CVE-2015-6541</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>iSEC Partners, Sysdream</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92825 92825] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92833 92833] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=92835 92835]</td><br />
<td>XSS Vulnerabilities [https://cwe.mitre.org/data/definitions/79.html CWE-79] <br /> (8.0.7 Patch <br /> contains [https://bugzilla.zimbra.com/show_bug.cgi?id=87412 87412])</td><br />
<td>CVE-2014-5500</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3]</td><br />
<td>Minor</td><br />
<td>8.0.8 <br /> 8.5.0</td><br />
<td>&nbsp;-</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=83550 83550]</td><br />
<td>Session Fixation [https://cwe.mitre.org/data/definitions/384.html CWE-384]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5119 CVE-2013-5119]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/AU:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.5.0</td><br />
<td>-&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=91484 91484]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0224</td><br />
<td>n/a</td><br />
<td>6.8</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch]</td><br />
<td style="white-space:nowrap">Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=88708 88708]</td><br />
<td>Patch ZCS8 OpenSSL for CVE-2014-0160</td><br />
<td>n/a</td><br />
<td>5.0</td><br />
<td>Major</td><br />
<td style="white-space:nowrap"><br />
8.0.3+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.4+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.5+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.6+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7+[https://www.zimbra.com/forums/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html Patch] <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160] </td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85499 85499]</td><br />
<td>Upgrade to OpenSSL 1.0.1f</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 5.8</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVE-2013-4353] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 CVE-2013-6449] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 CVE-2013-6450]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=84547 84547]</td><br />
<td>XXE [https://cwe.mitre.org/data/definitions/611.html CWE-611]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217 CVE-2013-7217]</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4] <br /> (not 10.0)</td><br />
<td>Critical</td><br />
<td>7.2.2_Patch3 <br /> 7.2.3_Patch <br /> 7.2.4_Patch2 <br /> 7.2.5_Patch <br /> 7.2.6 <br /> 8.0.3_Patch3 <br /> 8.0.4_Patch2 <br /> 8.0.5_Patch <br /> 8.0.6</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85478 85478]</td><br />
<td>XSS vulnerability in message view</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Alban Diquet <br /> of iSEC&nbsp;Partners</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85411 85411]</td><br />
<td>Local root privilege escalation</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:L/AC:L/Au:S/C:C/I:C/A:N) 6.2]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td style="white-space:nowrap">Matthew David</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=85000 85000]</td><br />
<td>Patch nginx for CVE-2013-4547</td><br />
<td>n/a</td><br />
<td>7.5</td><br />
<td>Major</td><br />
<td>7.2.7 <br /> 8.0.7</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4547 CVE-2013-4547]</td><br />
</tr><br />
<tr><br />
<td style="white-space:nowrap"><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80450 80450] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80131 80131] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80445 80445] <br /><br />
[https://bugzilla.zimbra.com/show_bug.cgi?id=80132 80132]<br />
</td><br />
<td style="white-space:nowrap"><br />
Upgrade to JDK 1.6 u41 <br /> Upgrade OpenSSL to 1.0.0k <br /> Upgrade to JDK 1.7u15+ <br /> Upgrade to OpenSSL 1.0.1d</td><br />
<td>n/a</td><br />
<td>2.6</td><br />
<td>Minor</td><br />
<td>7.2.3 <br /> 7.2.3 <br /> 8.0.3 <br /> 8.0.3</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169 CVE-2013-0169]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=80338 80338]</td><br />
<td>Local file inclusion via skin/branding feature [https://cwe.mitre.org/data/definitions/22.html CWE-22]</td><br />
<td>[https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091 CVE-2013-7091]</td><br />
<td>[https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2013-7091&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0]</td><br />
<td>Critical</td><br />
<td style="white-space:nowrap">6.0.16_Patch <br /> 7.1.1_Patch6 <br /> 7.1.3_Patch3 <br /> 7.2.2_Patch2 <br /> 7.2.3 <br /> 8.0.2_Patch <br /> 8.0.3</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=77655 77655]</td><br />
<td>Separate keystore for CAs used for X509 authentication</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:N) 5.8]</td><br />
<td>Major</td><br />
<td>8.0.7</td><br />
<td>Private</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=75424 75424]</td><br />
<td>Upgrade to Clamav 0.97.5</td><br />
<td>n/a</td><br />
<td>4.3 <br /> 4.3 <br /> 4.3</td><br />
<td>Minor</td><br />
<td>7.2.1</td><br />
<td>Upstream, see <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1457 CVE-2012-1457] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1458 CVE-2012-1458] <br /> [https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1459 CVE-2012-1459]</td><br />
</tr><br />
<tr><br />
<td>[https://bugzilla.zimbra.com/show_bug.cgi?id=64981 64981]</td><br />
<td>Do not allow HTTP GET for login</td><br />
<td>-</td><br />
<td>[https://nvd.nist.gov/cvss.cfm?calculator&amp;version=2&amp;vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8]</td><br />
<td>Major</td><br />
<td>7.1.3_Patch <br /> 7.1.4</td><br />
<td>Private</td><br />
</tr><br />
</table><br />
</div><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br /> [https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br /> '''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>] <br /> <i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>] <br/> <i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br /> [https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66085
Zimbra Security Center Acknowledgements
2018-12-21T03:05:19Z
<p>Plobbes: Change per An's request</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>Viettel Cyber Security</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66084
Zimbra Security Center Acknowledgements
2018-12-21T02:20:29Z
<p>Plobbes: update name/url for An Phuoc Trinh</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Phuoc Trinh'''</td><br />
<td>http://viettel.com.vn/en</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Zimbra_Security_Center_Acknowledgements&diff=66079
Zimbra Security Center Acknowledgements
2018-12-19T22:14:04Z
<p>Plobbes: Add An Trinh</p>
<hr />
<div>{{BC|Security Center}}<br />
__NOTOC__<br />
==Zimbra Security Center Acknowledgements==<br />
<div class="col-md-12 ibox-content"><br />
<div class="col-md-9"><br />
<p>The following people have reported valid security related bugs or concerns with our products and/or our publicly accessible services. Thank you for helping to make our products, and customers safer!</p><br />
<table class="table table-hover table-bordered table-striped"><br />
<br />
<tr><th colspan="2">2018</th></tr><br />
<br />
<tr><br />
<td>'''An Trinh'''</td><br />
<td></td><br />
</tr><br />
<br />
<tr><br />
<td>'''Issam Rabhi'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Sumit Sahoo'''</td><br />
<td>https://www.facebook.com/54H00</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Danielle Deibler'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Vikash Chaudhary'''</td><br />
<td>https://www.linkedin.com/in/offensivehunter/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Diego Di Nardo'''</td><br />
<td>https://www.linkedin.com/in/diegodinardo/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>https://www.netragard.com/</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ryan Sears'''</td><br />
<td>https://medium.com/cali-dog-security</td><br />
</tr><br />
<br />
<br />
<tr><br />
<td>'''Abdurrahman Nazim'''</td><br />
<td>https://www.facebook.com/abdurrahman.shaikh.7528</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Ashish Kunwar'''</td><br />
<td>https://twitter.com/d0rkerdevil</td><br />
</tr><br />
<br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2017</th></tr><br />
<br />
<tr><br />
<td>'''Abiral Shrestha'''</td><br />
<td>https://twitter.com/proabiral</td><br />
</tr><br />
<tr><br />
<td>'''Veit Hailperin'''</td><br />
<td>https://twitter.com/fenceposterror</td><br />
</tr><br />
<tr><br />
<td>'''Girish Bhamare'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><br />
<td>'''Zhouyuan Yang'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Eusebiu Blindu'''</td><br />
<td>https://twitter.com/testalways</td><br />
</tr><br />
<tr><br />
<td>'''Damian&nbsp;Pfammatter &amp; Alessandro&nbsp;Zala'''</td><br />
<td>https://compass-security.com/</td><br />
</tr><br />
<tr><br />
<td>'''Lucideus'''</td><br />
<td>http://lucideus.com/</td><br />
</tr><br />
<tr><br />
<td>'''Stephan Kaag'''</td><br />
<td>https://securify.nl/</td><br />
</tr><br />
<br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2016</th></tr><br />
<br />
<tr><br />
<td>'''Gayatri Rachakonda'''</td><br />
<td>https://www.linkedin.com/in/gayatriracha/</td><br />
</tr><br />
<tr><br />
<td>'''Jatinder Singh Saini'''</td><br />
<td>https://www.linkedin.com/in/jatindersinghsaini/</td><br />
</tr><br />
<tr><br />
<td>'''Alastair Gray'''</td><br />
<td>https://ca.linkedin.com/in/alastair-gray-81a3085</td><br />
</tr><br />
<tr><br />
<td>'''Sammy Forgit'''</td><br />
<td>https://fr.linkedin.com/in/sammy-forgit-21834aa5</td><br />
</tr><br />
<tr><br />
<td>'''ANAS LAABAB'''</td><br />
<td>https://twitter.com/anas_l44b4b</td><br />
</tr><br />
<tr><br />
<td>'''Mohit Rawat'''</td><br />
<td>https://in.linkedin.com/in/mohitrawat08</td><br />
</tr><br />
<tr><br />
<td>'''Akash Saxena'''</td><br />
<td>https://www.facebook.com/akash.saxena.9421</td><br />
</tr><br />
<tr><br />
<td>'''Netragard'''</td><br />
<td>http://netragard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Nam Habach'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Kevin Michael Joensen'''</td><br />
<td>http://www.secu.dk/</td><br />
</tr><br />
<tr><br />
<td>'''Szymon Gruszecki'''</td><br />
<td>http://www.defensis.pl/</td><br />
</tr><br />
<tr><br />
<td>'''Guilherme Scombatti'''</td><br />
<td>https://twitter.com/gui_scombatti</td><br />
</tr><br />
<tr><br />
<td>'''Koen Rouwhorst'''</td><br />
<td>https://twitter.com/koenrh</td><br />
</tr><br />
<tr><br />
<td>'''Sandesh Satam'''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
<tr><td colspan="2">&nbsp;</td></tr><br />
<tr><th colspan="2">2015</th></tr><br />
<tr><br />
<td>'''Peter Nguyen'''</td><br />
<td>&nbsp;</td><br />
</tr><br />
<tr><br />
<td>'''Ali Wamim Khan'''</td><br />
<td>https://twitter.com/WamimKhan</td><br />
</tr><br />
<tr><br />
<td>'''Hamza Bachikh'''</td><br />
<td>https://twitter.com/miZo_Rayk</td><br />
</tr><br />
<tr><br />
<td>'''Steven Adair'''</td><br />
<td>https://www.volexity.com/<br>https://twitter.com/volexity/</td><br />
</tr><br />
<tr><br />
<td>'''Fortinet's FortiGuard Labs'''</td><br />
<td>https://www.fortiguard.com/</td><br />
</tr><br />
<tr><br />
<td>'''Anthony&nbsp;LAOU-HINE&nbsp;TSUEI &amp; Damien&nbsp;CAUQUIL'''</td><br />
<td>https://www.sysdream.com/</td><br />
</tr><br />
<tr><br />
<td style="width: 34%;">'''Mario Heiderich'''</td><br />
<td style="width: 66%;">https://cure53.de/</td><br />
</tr><br />
<tr><br />
<td>'''Lokesh Kumar V'''</td><br />
<td>https://www.facebook.com/vijayanlokeshkumar</td><br />
</tr><br />
<tr><br />
<td>'''Indrajith.AN'''</td><br />
<td>https://www.facebook.com/indrajith.cyberXdestroyer</td><br />
</tr><br />
<tr><br />
<td>''' Asif Matadar '''</td><br />
<td>MWR InfoSecurity</td><br />
</tr><br />
<tr><br />
<td>'''Jitesh Sojitra '''</td><br />
<td>https://www.zimbra.com/</td><br />
</tr><br />
</table><br />
</div><br />
<div class="col-md-3"><br />
<div class="tile zimbrared"><br />
<h4>Try Zimbra</h4> <br />
<p class="text-justify"><i class="fa fa-cloud-download fa-3x pull-left"></i> Try now Zimbra Collaboration without any cost with the 60-day free Trial. <br />[https://www.zimbra.com/try/secure-collaboration-software-free-trial <span style="color:white">'''Get it now »'''</span>]</p><br />
</div> <br />
<div class="tile zimbraorange"><br />
<h4>Want to get involved?</h4> <br />
<p class="text-justify">You can contribute in the Community, in the Wiki, in the Code, or developing Zimlets. <br />'''Find out more. »'''</p><br />
</div><br />
<div class="tile zimbrablue"><br />
<h4>Other Help Resources</h4> <br />
<p><i class="fa fa-users"></i> [https://help.zimbra.com <span style="color:white">Visit the User Help Page »</span>]<br /><i class="fa fa-comments"></i> [https://community.zimbra.com/collaboration/ <span style="color:white">Visit the Official Forums »</span>]<br/><i class="fa fa-book"></i> [https://zimbra.com/documentation <span style="color:white">Zimbra Documentation Page »</span>]</p><br />
</div><br />
<div class="tile zimbragrey"><br />
<h4>Looking for a Video?</h4> <br />
<p class="text-justify"><i class="fa fa-youtube fa-3x pull-left"></i> Visit our YouTube Channel to keep posted about Webinars, technology news, Product overviews and more. <br />[https://www.youtube.com/channel/UCcB648SoNlCNvyIh4arcTGg <span style="color:white">'''Go to the YouTube Channel »'''</span>]</p><br />
</div><br />
</div><br />
</div><br />
<br /></div>
Plobbes
https://wiki.zimbra.com/index.php?title=Security_Center&diff=66073
Security Center
2018-12-18T04:59:08Z
<p>Plobbes: ZCS 8.8.11 / CVE-2018-14013 / bug 109017</p>
<hr />
<div>__NOTOC__<br />
<div class="col-md-12"><br /></div><br />
<div class="col-md-8"><br />
<h2 class="title-header" style="padding-bottom: 9px; border-bottom: 4px solid #0087c3;">Zimbra Security - News & Alerts</h2><br />
<p>Note: A security related FAQ and links to version specific security related settings can be found under [[Security/Collab]].</p><br />
<div class="col-md-12"><br />
<div class="ibox-content"><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.11 ZCS 8.8.11]<br />
was released December 17, 2018. The release includes a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> December 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P7 ZCS 8.8.9 P7]<br />
was released November 6, 2018. The patch includes a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> November 7, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 2 and 8.7.11 Patch 7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P2 ZCS 8.8.10 P2] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P7 ZCS 8.7.11 P7]<br />
were released October 29, 2018. Both patches include a fix for a persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-18631 CVE-2018-18631] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109020 bug 109020] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). ZCS 8.7.11 P7 also includes a fix (already in ZCS 8.8.10 P1) for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 29, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 Patch 1 and 8.8.9 Patch 6 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10/P1 ZCS 8.8.10 P1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P6 ZCS 8.8.9 P6]<br />
were released October 17, 2018. They include a fix for a non-persistent XSS [https://nvd.nist.gov/vuln/detail/CVE-2018-14013 CVE-2018-14013] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109018 bug 109018] ([http://cwe.mitre.org/data/definitions/79.html CWE 79]). Please note, there is a second non-persistent XSS ([https://bugzilla.zimbra.com/show_bug.cgi?id=109017 bug 109017]), also part of CVE-2018-14013, which is not fixed in this patch set.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 17, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.10 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.10 ZCS 8.8.10]<br />
was released October 2, 2018. It includes a fix for a limited text content injection vulnerability [https://nvd.nist.gov/vuln/detail/CVE-2018-17938 CVE-2018-17938] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109021 bug 109021] ([http://cwe.mitre.org/data/definitions/345.html CWE 345]).<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> October 2, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P9 ZCS 8.8.8 Patch9]<br />
was released August 30, 2018. It includes a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> August 31, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.9 Patch3, 8.7.11 Patch6 and 8.6.0 Patch11 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P3 ZCS 8.8.9 Patch3] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P6 ZCS 8.7.11 Patch6]<br />
were released August 17, 2018. They include a fix for an Account Enumeration vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-15131 CVE-2018-15131] / [https://bugzilla.zimbra.com/show_bug.cgi?id=109012 bug 109012].<br />
</p><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P11 ZCS 8.6.0 Patch11]<br />
was released August 17, 2018. This includes fixes for 11 vulnerabilities. See the release notes for details.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Updated: <br />
<i class="fa fa-calendar"></i> Aug 21, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect<br /><br />
<i class="fa fa-calendar"></i> Aug 19, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch7 and ZCS 8.8.9 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P7 ZCS 8.8.8 Patch7] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.9/P1 ZCS 8.8.9 Patch1]<br />
were released July 19, 2018. They include a fix for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-14425 CVE-2018-14425] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108970 bug 108970].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> July 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch4 and ZCS 8.7.11 Patch4 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P4 ZCS 8.8.8 Patch4] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P4 ZCS 8.7.11 Patch4]<br />
were released May 24, 2018. They include a fix for a XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-10939 CVE-2018-10939] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108902 bug 108902].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.8 Patch1 and ZCS 8.7.11 Patch2 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P1 ZCS 8.8.8 Patch1] and<br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P2 ZCS 8.7.11 Patch2]<br />
were released April 12, 2018. They include a fix for a CSRF vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2015-7610 CVE-2015-7610] / [https://bugzilla.zimbra.com/show_bug.cgi?id=97579 bug 97579].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.7.11 Patch1 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1 ZCS 8.7.11 Patch1]<br />
was released March 14, 2018. This includes a fix for three XSS vulnerabilities,<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265],<br />
[https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925], and<br />
[https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108786].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Apr 14, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.8.7 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 ZCS 8.8.7] was released today. It includes fixes for a Persistent XSS vulnerability, [https://nvd.nist.gov/vuln/detail/CVE-2018-6882 CVE-2018-6882] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108786 bug 108768] and Mailsploit related issues / [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
<p class="text-justify"><br />
Note: We recommend that all sites <b>upgrading</b> to 8.8.7 manually set <b>zimbraPrefShortEmailAddress</b> to <b>FALSE</b> which is the default for new 8.8.7 installs.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch9 released</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0_Patch9 ZCS 8.6.0 Patch 9] was released today and includes fixes for two Persistent XSS vulnerabilities, [https://nvd.nist.gov/vuln/detail/CVE-2017-8802 CVE-2017-8802] / [https://bugzilla.zimbra.com/show_bug.cgi?id=107925 bug 107925] and [https://nvd.nist.gov/vuln/detail/CVE-2017-17703 CVE-2017-17703] / [https://bugzilla.zimbra.com/show_bug.cgi?id=108265 bug 108265].<br />
</p><br />
<p class="text-justify"><br />
If this patch is not applied, one potential workaround to avoid this issue is to set zimbraPrefUseKeyboardShortcuts to FALSE (for all users/classes-of-service). Note: disabling keyboard shortcuts would have the side effect of disabling all ZCS controlled keyboard shortcuts and this may impact normal user client interaction.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Feb 9, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZWC affected by Mailsploit</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
All supported versions of Zimbra Web Client (ZWC) <i>prior to 8.8.7</i> are affected by [https://www.mailsploit.com/ Mailsploit]. <i>We recommend that all sites upgrading to 8.8.7 manually set zimbraPrefShortEmailAddress to FALSE which is the default for new 8.8.7 installs.</i><br />
</p><br />
<p class="text-justify"><br />
The workaround which addresses most issues is to set zimbraPrefShortEmailAddress to FALSE (if you are an administrator) for all users/classes-of-service. As an end user you can also control this setting by going to 'Preferences > Display names in place of email addresses when available' and deselecting the checkbox for this option (this is the end user control for the preference attribute mentioned above). This issue is being tracked as [https://bugzilla.zimbra.com/show_bug.cgi?id=108709 bug 108709].<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p>Update 8.8.7 released: <i class="fa fa-calendar"></i> Mar 8, 2018 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.10 Released with a fix for one vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.10:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107878 bug 107878] CVE-2017-8783 Persistent XSS - location [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107885 bug 107885] CVE-2017-8783 Persistent XSS - description [https://cwe.mitre.org/data/definitions/79.html CWE-79]<br />Affects: All supported versions before 8.7.10</li><br />
</ul><br />
</p><br />
<p class="text-justify"><br />
Thank you to Stephan Kaag of Securify for reporting bug 107878!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 24, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">8.7.6 Released with fixes for two vulnerabilities</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The following vulnerabilities were fixed in ZCS 8.7.6:<br />
<ul><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107712 bug 107712] CVE-2017-6821 Improper limitation of file paths [https://cwe.mitre.org/data/definitions/22.html CWE-22]<br />Affects: All supported versions before 8.7.6</li><br />
<li>[https://bugzilla.zimbra.com/show_bug.cgi?id=107684 bug 107684] CVE-2017-6813 Improper handling of privileges [https://cwe.mitre.org/data/definitions/280.html CWE-280]<br />Affects: ZCS 8.5.0 - 8.7.5 </li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 30, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Limited XXE in ZCS < 8.7.4 (CVE-2016-9924)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
A fix for a limited capability [https://cwe.mitre.org/data/definitions/611.html XXE] - CVE-2016-9924 / [https://bugzilla.zimbra.com/show_bug.cgi?id=106811 bug 106811] is included in release ZCS 8.7.4. This issue affects all supported versions of ZCS before 8.7.4.<br />
</p><br />
<p class="text-justify"><br />
A special thanks to Alastair Gray for taking the time to report this issue!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> March 1, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Multiple CSRF in Administration interface in ZCS < 8.7 (CVE-2016-3403)</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
The details of CVE-2016-3403 / [https://bugzilla.zimbra.com/show_bug.cgi?id=100899 bug 100899] (see also [https://bugzilla.zimbra.com/show_bug.cgi?id=100885 bug 100885]) were [http://www.openwall.com/lists/oss-security/2017/01/11/11 publicly disclosed] by [https://sysdream.com Sysdream Labs] on 2017-01-11.<br />
</p><br />
<p class="text-justify"><br />
Please note the fixes for the flaws were included as part of ZCS 8.7.0, which was released on [https://wiki.zimbra.com/wiki/Zimbra_Releases 2016-07-13].<br />
</p><br />
<p class="text-justify"><br />
Thank you to Sysdream for your assistance and cooperation!<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> January 11, 2017 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Ransomware targeting ZCS Servers</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
[http://www.bleepingcomputer.com/author/lawrence-abrams/ Lawrence Abrams] of [http://www.bleepingcomputer.com/ Bleeping Computer] has [http://www.bleepingcomputer.com/news/security/zimbra-ransomware-written-in-python-targets-zimbra-mail-store/ reported] that there is a new [https://gist.github.com/ratasxy/9416254d966bd701b5a85013969febaf ransomware variant], written in Python, that is targeting ZCS server data under '''/opt/zimbra/store/'''.<br />
</p><br />
<p class="text-justify"><br />
At this point, no details have been provided about how any servers were compromised. Without any details, the best advice we can give is:<br />
</p><br />
<ul><br />
<li>Get (and stay) up to date on OS version and patches.</li><br />
<li>Get (and stay) up to date on [https://www.zimbra.com/downloads/ ZCS] version and patches.</li><br />
<li>Ensure servers are properly firewalled (see [[Ports]] and only allow access to the minimum number of services that is required to meet your business requirements.</li><br />
<li>Review and compare your system configuration against best practices like the [https://benchmarks.cisecurity.org/downloads/latest/ CIS benchmarks].</li><br />
</ul><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> June 22, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Workaround: OpenSSL padding oracle in AES-NI CBC MAC check (CVE-2016-2107)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160503.txt 2016-05-03 announcement] by [https://www.openssl.org/ OpenSSL] regarding a padding oracle in the AES-NI CBC MAC check affects [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases] of ZCS 8.0-8.6.0 (via MTAs and Proxy).<br />
<br /><br />
</p><br />
<p class="text-justify"><br />
We anticipate releasing 8.6.1 (and 8.7) with fixes for this issue, however if this issue is impacting your environment, the recommended workaround is covered in [https://bugzilla.zimbra.com/show_bug.cgi?id=104982 bug 104982]. NOTE: in ZCS 8.7+ we are able to easily patch third party packages included with ZCS via [https://wiki.zimbra.com/wiki/Zimbra_Collaboration_repository package repos].<br />
<br /><br />
</p><br />
<p class="text-justify">First, test that you are vulnerable with the following tool:<br /><br />
https://filippo.io/CVE-2016-2107/<br />
<br /><br />
</p><br />
<br />
<ul><br />
<li>Edit /opt/zimbra/.bash_profile<br />
- add the following to the end of user zimbra's .bash_profile (requires root privs):<br />
<br /><br />
<code><br />
# workaround CVE-2016-2107<br /><br />
export OPENSSL_ia32cap="~0x200000200000000"<br />
</code><br />
</li><br />
<li>Edit sudoers - add the following line to your sudoers (/etc/sudoers or whatever is appropriate for your platform):<br />
<br /><br />
<code><br />
Defaults env_keep += "OPENSSL_ia32cap"<br />
</code><br />
</li><br />
<li>Configure postfix - instructs postfix to honor the desired environment variable:<br />
<br /><br />
<code><br />
$ zmlocalconfig -e postfix_import_environment='OPENSSL_ia32cap'<br />
</code><br />
<br /><br />
</li><br />
</ul><br />
<br />
<p class="text-justify"><br />
A special thanks to Malte Stretz from our Gold Partner, [http://www.silpion.de/ Silpion], for his persistence and hard work to gather the information covered in this workaround! Also this article would be incomplete without mentioning that the original inspiration for this workaround came from https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/.<br />
<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 14, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">In Brief: DROWN / Cross-protocol attack on TLS using SSLv2 (CVE-2016-0800)</h4><br />
<div class="row"><br />
<p class="text-justify">The [https://www.openssl.org/news/secadv/20160301.txt 2016-03-01 announcement] by [https://www.openssl.org/ OpenSSL] regarding [https://drownattack.com/ DROWN] via SSLv2 affects ZCS 8.0.x (via MTAs), but no other currently [https://www.zimbra.com/support/support-offerings/product-lifecycle/ supported releases]. See [[How to disable SSLv3]], as it includes instructions on disabling SSLv2 and SSLv3. Additional info may also be found in [https://bugzilla.zimbra.com/show_bug.cgi?id=104130 bug 104130].<br /><br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 01, 2016 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">ZCS 8.6.0 Patch 5 availability</h4><br />
<div class="row"><br />
<p class="text-justify"><br />
ZCS 8.6.0 Patch 5 is available (officially released Dec 21, 2015). Patch 5 includes fixes for five (5) CVE's (ref: [[Zimbra Security Advisories]]). Three of the CVE-IDs referenced in the patch come via 3rd party components shipped w/ZCS. Please note, one of the fixed vulnerabilities is [https://wiki.zimbra.com/wiki/Zimbra_Vulnerability_Rating_Classification rated as major]. See the [https://blog.zimbra.com/2015/12/zimbra-collaboration-8-6-patch-5-now-available/ blog post] or the release notes (available from the [https://www.zimbra.com/downloads/ downloads] area for additional notes on ZCS 8.6.0 Patch 5.<br />
</p><br />
<br />
<p class="text-justify"><br />
<u>[Update: Feb 2, 2016]</u><br><br />
If you can not patch immediately, the XSS bug classified as major (bug 101435) can be worked around by either disabling or uninstalling (zmzimletctl undeploy) the com_zimbra_url (aka URL links) zimlet.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 23, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">OpenSSL alternative chains certificate forgery (CVE-2015-1793)</h4><br />
<div class="row"><br />
<p class="text-justify">Today's announcement by OpenSSL (https://www.openssl.org/news/secadv_20150709.txt) regarding alternative chains certificate forgery does not affect any Zimbra Collaboration releases.<br /><br />
Specifically, the latest Zimbra Collaboration 8.6 release ships with OpenSSL 1.0.1l, but this issue affects the following OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o only.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 09, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">A note on Logjam</h4><br />
<div class="row"><br />
<p class="text-justify">There is a lot of chatter about [https://weakdh.org/ Logjam - https://weakdh.org] today.</p><br />
<p>At this time, the initial impacts to Collab seem to be minimal and are currently limited to the MTA, specifically possible setting changes, depending upon your environment.</p><br />
<p>Today we updated the [https://wiki.zimbra.com/wiki/Security/Collab/86#Ciphers_4 MTA Ciphers] section of our Collab 8.6 security wiki page. In short, for anyone concerned about the Logjam (cipher downgrade) style of MitM attacks, the use of 'export' and 'low' ciphers in Postfix should be avoided. Please note that Postfix, by default ([http://www.postfix.org/postconf.5.html#smtp_tls_ciphers http://www.postfix.org/postconf.5.html#smtp_tls_ciphers]) allows use of lower ciphers. Changing these to 'medium' can reduce client interoperability and/or may cause some clients to fall back to in the clear communication channels instead of using lower grade encryption.</p><br />
<p>As usual, there are trade-offs involved, but in the light of FREAK ([https://freakattack.com/ https://freakattack.com]) and Logjam ([https://weakdh.org/ https://weakdh.org]) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that complete deprecation of these ciphers will be coming soon.</p><br />
<p>Please visit [https://wiki.zimbra.com/wiki/Security/Collab/86 https://wiki.zimbra.com/wiki/Security/Collab/86] to keep up with our latest recommendations. Also, for those looking to strengthen their security posture, in Collab 8.7 we have a number of enhancements slated including the ability to strengthen <strong>[https://bugzilla.zimbra.com/show_bug.cgi?id=98852 DH params]</strong>. A sneak preview of security related changes/enhancements in the works is available at [https://wiki.zimbra.com/wiki/Security/Collab/87 https://wiki.zimbra.com/wiki/Security/Collab/87].</p><br />
<p>Lastly, for those with openssl 1.0.2 available, you may find this post from OpenSSL useful [https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/]</p><br />
<p><br/><span style="text-decoration: underline;">Update for 8.0.x customers</span>: In Collab 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: [http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html]</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">What the FREAK attack means to Zimbra</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack the vulnerability is being referred to as FREAK (Factoring attack on RSA-EXPORT Keys), utilizing [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204 CVE-2015-0204].</p><br />
<p>The attack allows a malicious actor to force a downgrade of a secure connection to a vulnerable, export grade encryption (READ: weak encryption). Which, [http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/ according to Washington Post], is downgraded to 512-bit encryption that was the maximum allowed under the export controls in place during the 1990s in the U.S. The Washington Post piece goes on to say it is possible to crack 512-bit encryption, today, in approximately 7 hours with the use of 75 computers, which can be rented from a cloud computing provider for approximately $100.</p><br />
<p>[http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html Matthew Green], cryptographer and research professor from Johns Hopkins, provided a Cliffs Notes version:</p><br />
<p>A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a 'man in the middle attacker' to downgrade connections from 'strong' RSA to 'export-grade' RSA. These attacks are real and exploitable against a shocking number of websites -- including government websites. Patch soon and be careful.</p><br />
<p>In addition to Matthew Green's post and the Washington Post article, the [http://freakattack.com/ freakattack.com] site has additional information, including a list of the top domains still vulnerable, as well as a built in check of the browser used to surf to the site.</p><br />
<h4>Zimbra Specifics</h4><br />
<p>Zimbra ships with the OpenSSL library. At this time, Zimbra has assessed Zimbra Collaboration 8.x, 7.x and found no susceptibility to the FREAK attack in the servers. As there is a client side component to this attack, please verify that you are running the latest browsers/clients to lower the risk to this type of attack.</p><br />
<p>As part of our security program, Zimbra will continue to monitor all developments related to the FREAK vulnerability and update this post as needed.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Mar 05, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">GNU C Library Vulnerability — aka GHOST</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of a Linux vulnerability, specifically the GNU C Library.</p><br />
<p><b>Details</b></p><br />
<br />
<p>The vulnerability appears to have been found by [https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability Qualys] and disclosed in security advisory [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 CVE 2015-0235]. It should be noted that the vulnerability was patched in v 2.17 of the library, but at the time was not categorized as a security issue, leading many to maintain stable versions, i.e. vulnerable versions. This is an operating system vulnerability; at this time, and to the best of our knowledge, there are no known exploits against Zimbra's software related to CVE 2015-0235.</p><br />
<p><b>**Recommendation**</b></p><br />
<p>Zimbra recommends that anyone running Linux update their systems as soon as possible. And while Linux doesn't usually require a restart, it is recommended to ensure all underlying software services are patched.</p><br />
<p><b>Patches or acknowledgements</b></p><br />
<p>[https://sourceware.org/git/?p=glibc.git;a=summary GNU C Library's] upstream Git<br /> [http://www.ubuntu.com/usn/usn-2485-1/ Ubuntu]<br /> [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391 Debian]<br /> [https://rhn.redhat.com/errata/RHSA-2015-0090.html Red Hat]<br /> [http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html CentOS]<br /> [http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00028.html SUSE]</p><br />
<p>- Phil</p><br />
<p>Note: the original post was updated slightly to clarify the relationship between the vulnerability and the lack of known exploits against software shipped by Zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jan 28, 2015 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">POODLE Revisited</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected.</p><br />
<p>For anyone looking for more information, I recommend you look at https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Dec 11, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Collaboration Updates (8.0.9 & 8.5.1)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra Collaboration 8.0.9 and 8.5.1 are out with security updates, including the update to OpenSSL 1.0.1j. For those looking to disable SSLv3 remember to (re)visit&nbsp;[https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 https://wiki.zimbra.com/wiki/How_to_disable_SSLv3].</p><br />
<p>Find here extra details on the releases:</p><br />
<ul><br />
<li>https://community.zimbra.com/collaboration/f/1884/t/1136138</li><br />
<li>https://community.zimbra.com/zblogs/b/teamblog/archive/2014/11/06/zimbra-collaboration-updates-8-0-9-amp-8-5-1</li><br />
</ul><br />
<p>And, as always, don't forget to read the release notes.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Nov 06, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">The Shellshock Flaw</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Zimbra is aware of, and has been closely monitoring, the developments of the Shellshock vulnerability. At this time, Zimbra has found no impact on our products, nor do we anticipate any. We have posted initial information on our main blog. &nbsp;Please head over to&nbsp; https://community.zimbra.com/zblogs/b/teamblog/archive/2014/09/25/the-shellshock-flaw &nbsp;for any updates related to this issue.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Sep 25, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Security Advisory: Zimbra Community 8.x Security Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a&nbsp;very specific&nbsp;scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.</p><br />
<p><strong>Summary:</strong>&nbsp;The Zimbra development team has identified a very specific scenario where a user&rsquo;s password in Community 8 is stored insecurely.</p><br />
<p><strong>Affected Versions:</strong>&nbsp;8.0.0.37997 (unpatched), 8.0.1.39116</p><br />
<p><strong>Vulnerability Scoring:</strong>&nbsp;CVSS: 1.4</p><br />
<p><strong>Obtaining a fix:</strong>&nbsp;http://telligent.com/support/m/support/1354746.aspx</p><br />
<p><strong>Details:</strong>&nbsp;The administrative feature to create users leverages non-public APIs that can force a user&rsquo;s password to be inadvertently stored insecurely.</p><br />
<p><strong>Reporter:</strong>&nbsp;Alex Crome (Zimbra)</p><br />
<p dir="ltr"><strong>When does this occur?</strong></p><br />
<p dir="ltr">1. Creating a user through the control panel using Membership Administration (requires administrative privileges)</p><br />
<p dir="ltr">2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)</p><br />
<p dir="ltr">If you have any questions or would like assistance with applying the patch, please [mailto:support@zimbra.com contact support].</p><br />
<p dir="ltr">This advisory was originally [http://blog.zimbra.com/blog/archives/2014/06/community-8-x-critical-security-vulnerability.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+zimbra+%28Zimbra+%3A%3A+Blog%29 published here].&nbsp;</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jul 01, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)</strong></p><br />
<p>On June 5, 2014 the OpenSSL project released a<span class="Apple-converted-space">&nbsp;</span>[https://www.openssl.org/news/secadv_20140605.txt security advisory].<span class="Apple-converted-space">&nbsp;</span>[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 CVE-2014-0224]<span class="Apple-converted-space">&nbsp;</span>can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.</p><br />
<p>The impact to Zimbra Collaboration Server is as follows:</p><br />
<ul class="org-ul"><br />
<li>ZCS 6 is not affected</li><br />
<li>ZCS 7 is not affected</li><br />
<li>ZCS 8 is affected</li><br />
</ul><br />
<p>Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.</p><br />
<p>If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html). Please upgrade to a newer version first, then run this patch.</p><br />
<p>Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul class="org-ul"><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>The following patch instructions must be done on a per server basis:</p><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol stop<br />
</pre><br />
<ul class="org-ul"><br />
<li>As root:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">cd /tmp<br />
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh<br />
chmod a+rx zmopenssl-updater.sh<br />
./zmopenssl-updater.sh<br />
</pre><br />
<ul class="org-ul"><br />
<li>As zimbra user:</li><br />
</ul><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zmcontrol start<br />
</pre><br />
<p>After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">openssl version<br />
</pre><br />
<p>On an 8.0.7 patched system the result should be:</p><br />
<pre class="example" style="border: 1px solid #cccccc; padding: 8pt; font-family: monospace; overflow: auto; margin: 1.2em;">zimbra$ openssl version<br />
OpenSSL 1.0.1h 5 Jun 2014<br />
</pre><br />
<p>Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.</p><br />
<p>Continue to the next server and repeat the patch process.</p><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.</p><br />
<p>Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.</p><br />
<p>Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> Jun 08, 2014 - <i class="fa fa-user"> </i> '''Phil Pearl''', Security Architect</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Critical Security Advisory and Builds/Patches for the OpenSSL Heartbleed Vulnerability</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px"><strong>Overview</strong></p><br />
<p class="text-justify">Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:</p><br />
<ul><br />
<li>http://heartbleed.com</li><br />
<li>https://www.openssl.org/news/secadv_20140407.txt</li><br />
<li>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160</li><br />
</ul><br />
<p class="text-justify">Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.<br /><br />Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities (reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html), so you would please need to upgrade to a secure version first, then run this patch.<br /><br />The patch is located here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</li><br />
</ul><br />
<p>The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:</p><br />
<ul><br />
<li>ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7</li><br />
<li>ZCA versions 8.0.3 or 8.0.4</li><br />
</ul><br />
<p>Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.<br /><br />Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.<br /><br />Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.<br /><br />Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:</p><br />
<ul><br />
<li>RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected</li><br />
<li>SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected</li><br />
</ul><br />
<p></p><br />
<h3>Patching</h3><br />
<p>The steps to patch are the following:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">2) chmod a+rx zmopenssl-updater.sh</span><br /><span style="font-family: courier new,courier;">3) ./zmopenssl-updater.sh</span><br /><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><span style="font-family: courier new,courier;">&nbsp;[Generates the following output]</span><br /><span style="font-family: courier new,courier;">&nbsp;Downloading patched openssl</span><br /><span style="font-family: courier new,courier;">&nbsp;Validating patched openssl: success</span><br /><span style="font-family: courier new,courier;">&nbsp;Backing up old openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;Installing patched openssl: complete</span><br /><span style="font-family: courier new,courier;">&nbsp;OpenSSL patch process complete.</span><br /><span style="font-family: courier new,courier;">&nbsp;Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol</span><br /><span style="font-family: courier new,courier;">&nbsp;restart</span><br /><span style="font-family: courier new,courier;">&nbsp;---------------------</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">4) su - zimbra</span><br /><span style="font-family: courier new,courier;">5) zmcontrol restart[/CODE]</span></p><br />
<p></p><br />
<h4>Manual Patching</h4><br />
<p>If you don&rsquo;t have Internet access, manually installing the patch would require the following steps:<br /><br />1) Download the appropriate openssl build:<br /><br />(as root)<br /><span style="font-family: courier new,courier;">cd /tmp</span><br /><span style="font-family: courier new,courier;">wget the correct version, from this list:</span></p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz</li><br />
</ul><br />
<p>The MD5 files are also available for verification purposes, here:</p><br />
<ul><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum</li><br />
<li>http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum</li><br />
</ul><br />
<p><br />(as root)<br /><span style="font-family: courier new,courier;">2) cd /opt/zimbra</span><br /><span style="font-family: courier new,courier;">3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart</span><br /><span style="font-family: courier new,courier;">4) tar xfz /tmp/openssl-NEWVERSION.tgz</span><br /><br />(as user zimbra)<br /><span style="font-family: courier new,courier;">5) su - zimbra</span><br /><span style="font-family: courier new,courier;">6) zmcontrol restart</span></p><br />
<h3>Zimbra Collaboration 8.0.7 Builds</h3><br />
<p>Zimbra Collaboration Suite 8.0.7 - both the Network Edition and Open-Source Edition - have been rebuilt to include the fix for the OpenSSL Heartbleed Vulnerability.</p><br />
<p>If you haven't yet upgraded to 8.0.7, the current versions up on the Download site now disable TLS Heartbeat and protect against the OpenSSL Heartbleed Vulnerability:</p><br />
<ul><br />
<li>Network Edition: [http://www.zimbra.com/products/download-network.html http://www.zimbra.com/products/download-network.html]</li><br />
<li>Open-Source Edition: [http://www.zimbra.com/products/download-opensource.html http://www.zimbra.com/products/download-opensource.html]</li><br />
</ul><br />
<p>In short:</p><br />
<ul><br />
<li>If you downloaded ZCS 8.0.7 prior to Thursday, April 10, then your version DOES NOT include the OpenSSL fix. This would be ZCS 8.0.7 build 6020 -&gt; <strong>Vulnerable, you would still need the OpenSSL patch</strong>: https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html</li><br />
<li>If you downloaded ZCS 8.0.7 Thursday, April 10 or after, then your version DOES include the OpenSSL fix. This would be ZCS 8.0.7 build 6021 -&gt; <strong>Not Vulnerable, no patch required</strong></li><br />
</ul><br />
<h3>OpenSSL Patch Update for ZCS 8.0.3 Only</h3><br />
<p>If you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.</p><br />
<p>Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.</p><br />
<p>Here is how you can check your build version:<br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br />(look for "8.0.3")<br /><br />Please use the test methods below to confirm.</p><br />
<p></p><br />
<h3>Testing</h3><br />
<p>There are a few ways you can confirm if your system is vulnerable:</p><br />
<p>1. If running ZCS 8.0.7, check your version tarball for the build number 6021. For example:</p><br />
<ul><br />
<li>[http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_6021.RHEL6_64.20140408123937.tgz http://files2.zimbra.com/downloads/8.0.7_GA/zcs-NETWORK-8.0.7_GA_<strong>6021</strong>.RHEL6_64.20140408123937.tgz] - the build number here is "6021"</li><br />
</ul><br />
<p>2. If running ZCS 8.0.7, check zmcontrol for the build number:<br /><br /><span style="font-family: courier new,courier;"># su - zimbra</span><br /><span style="font-family: courier new,courier;">$ zmcontrol -v</span><br /><span style="font-family: courier new,courier;">Release 8.0.7_GA_<strong>6021</strong>.RHEL6_64_20140408123937 RHEL6_64 NETWORK edition.</span><br /><br />3. If running any version of Zimbra Collaboration, check if the libssl shared library is built with dlts1_heartbeat:<br /><br /><strong>Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span><br /><br /><strong>Not Vulnerable:</strong><br /><span style="font-family: courier new,courier;">$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat</span><br /><span style="font-family: courier new,courier;">$</span></p><br />
<p><br />Please let Zimbra know promptly if any problems or questions.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Urgency on Security Fixes for Bug 80338 and Bug 84547</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation<br />
</p><br />
<ul><br />
<li>Bug 80338: Privilege Escalation via LFI</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091</li><br />
<li>Affected versions: 7.2.2 and 8.0.2 and all previous releases</li><br />
</ul><br />
<p>Bug 84547 is a XXE Vulnerability which, among other things, could be abused to disclose information from local files (Dec 2013):</p><br />
<ul><br />
<li>Bug 84547: XXE (CWE-611)</li><br />
<li>CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217</li><br />
<li>Affected Versions: releases before 7.2.6 in the 7 series, and 8.0.6 in the 8.0 series</li><br />
</ul><br />
<p>There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:</p><br />
<ul><br />
<li>[http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html Security Guidance for reported "0day Exploit"]</li><br />
<li>http://www.exploit-db.com/exploits/30085/</li><br />
</ul><br />
<p>And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:</p><br />
<ul><br />
<li>[https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems]</li><br />
</ul><br />
<p>As noted, there are patches and upgrades available here:</p><br />
<ul><br />
<li>[http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events]</li><br />
<li>[http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html Critical Security Patches posted for 8.0.X/7.2.X]</li><br />
<li>[http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases]</li><br />
</ul><br />
<p>Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 19, 2014 - <i class="fa fa-user"> </i> '''Thom O'Connor''', VP Customer Support</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="post animated fadeInLeft animation-delay-8" style="padding-top:5px"><br />
<div class="panel panel-default"><br />
<div class="panel-body"><br />
<h4 class="post-title">Welcome to the Zimbra Security Group</h4><br />
<div class="row"><br />
<p class="text-justify" style="padding-top:5px">Join this group to get the latest news, updates and alerts about security issues affecting your Zimbra product.<br />
</p><br />
</div><br />
</div><br />
<div class="col-md-12"><br />
<div class="panel-footer" align="right"><br />
<p><i class="fa fa-calendar"></i> May 07, 2014 - <i class="fa fa-user"> </i> '''Jenn Emerson''', Community Manager</p><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br /></div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <h3 class="panel-title"><i class="fa fa-shield"></i> Zimbra Security Center</h3> </div><br />
<div class="panel-body"><br />
<p>Zimbra is committed to providing a secure collaboration experience for our customers, partners, and users of our software.</p><br />
<p>"Watch" the '''[[Security Center]]''' pages to stay updated on Zimbra security related news.</p><br />
<p><br />
<ul class="list-inline"><br />
<li>[[Zimbra_Security_Response_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Response Policy]]</li><br />
<li>[[Zimbra_Vulnerability_Rating_Classification|<i class="fa fa-shield fa-flip-horizontal"></i> Vulnerability Rating]]</li><br />
<li>[[Zimbra_Security_Advisories|<i class="fa fa-shield fa-flip-horizontal"></i> Security Advisories]]</li><br />
<li>[[Zimbra_Responsible_Disclosure_Policy|<i class="fa fa-shield fa-flip-horizontal"></i> Responsible Disclosure]]</li><br />
<li>[[Reporting_Vulnerabilities_to_Zimbra|<i class="fa fa-shield fa-flip-horizontal"></i> Reporting Vulnerabilities]]</li><br />
<li>[[Zimbra_Security_Center_Acknowledgements|<i class="fa fa-trophy"></i> Zimbra Security Center Acknowledgements]]</li><br />
</ul><br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-zimbrared-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-fax pull-left"></i> Zimbra Support</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Open a '''[http://support.zimbra.com/ new Support Ticket]''' or check your opening ones. For questions on becoming a supported Zimbra customer, please '''[http://www.zimbra.com/about/contact_us.html contact us]'''.<br />
</p><br />
</div><br />
</div><br />
</div><br />
<div class="col-md-4"><br />
<div class="panel panel-primary-light-border"> <br />
<div class="panel-heading"> <br />
<h3 class="panel-title"><i class="fa fa-cubes pull-left"></i> Zimbra Product Releases</h3> <br />
</div><br />
<div class="panel-body"><br />
<p>Go to our '''[[Zimbra_Releases|Zimbra Product Releases]]''' page for details about each release, including: <br />
<ul><br />
<li>Release Notes</li><br />
<li>Patch Information</li><br />
<li>Documents in PDF format</li><br />
<li>Documents in ePub format</li><br />
<li>Complete Bugzilla reports</li><br />
</ul> <br />
</p><br />
</div><br />
</div><br />
</div><br />
<br />
{{FH}}</div>
Plobbes