Mitigate CVE-2022-27925 on Nginx

Mitigate CVE-2022-27925 on Nginx

   KB 24469        Last updated on 2022-08-23  

(0 votes)


ZCS versions before 8.8.15 Patch 31 and 9.0.0 Patch 24 are vulnerable to "CVE-2022-27925".

Accessing the following URL returns "500 Server Error", however the request succeeds on un-patched systems.


<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 Server Error</title>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /service/extension/backup/mboximport. Reason:
<pre>Server Error</pre></p>


To mitigate this, Nginx templates on proxy servers have to modified.

1) Take a backup of current templates directory "/opt/zimbra/conf/nginx/templates".

sudo cp -pvr /opt/zimbra/conf/nginx/templates /opt/zimbra/conf/nginx/templates.`date +%Y%m%d%H%M%S`.bak 

2) Modify the admin templates by adding the following location block just before the end of the server block.

Admin template files:

    location ^~ /service/extension/backup/mboximport
        return 404;

The following screenshots show the entries before and after modification.

Default entry before modification:
CVE-2022-27925 image1.PNG
After modification:
CVE-2022-27925 image2.PNG

3) Now modify the HTTP and HTTPS templates and add the same new location block at the end before the last "include" line.

HTTP and HTTPS template files:


Default entry before modification:
CVE-2022-27925 image3.PNG
After modification:
CVE-2022-27925 image4.PNG

4) Restart Proxy and Memcache services.

su - zimbra
zmproxyctl restart
zmmemcachedctl restart 

5) After applying these changes, requests for mboximport returns a 404 Error.


<head> <title>404 Not Found</title> </head>
<center><h1>404 Not Found</h1></center>

Submitted by: Heera Singh Koranga
Verified Against: Date Created:
Article ID: Date Modified: 2022-08-23

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search