Article

Advisory: Zimbra CVE

Zimbra has released security updates to address vulnerabilities affecting Ubuntu and Redhat installation versions.

Affected systems

Affected systems include Zimbra 9.0.0 Patch-27 and Zimbra 8.8.8.15 Patch-34

Security Risks

An attacker can use the cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio.
Zimbra's sudo configuration permits the Zimbra user to execute the zmslapd binary as root with arbitrary parameters.
XSS can occur via one of the attributes of an IMG element, leading to information disclosure.
XSS can occur via one attribute in the search component of webmail, leading to information disclosure.
XSS can occur via one of the attributes in composing a component of webmail, leading to information disclosure.
XSS can occur via one of the attributes in the calendar component of webmail, leading to information disclosure.

Recommended Actions

The National Cyber Security Authority (NCSA) strongly recommends to system administrators:

a. Follow the advisory shared by Zimbra and apply suggested mitigations to lower the risk of vulnerability exploitation.

c. Before any update task, please ensure you have a recent backup that can easily be restored.

For further information and support, please contact NCSA by email at rwcsirt@ncsa.gov.rw or call us on 9009

References

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P34#Security_Fixes

https://thehackernews.com/2022/10/zimbra-releases-patch-for-actively.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-228a

19 October 2022

More updates

20 December 2022

Advisory: VMware Security Advisory

VMware released security updates for its products to address the heap out-of-bounds write vulnerability in the USB 2.0 controller (EHCI).

30 October 2022

Advisory: Apple iOS and macOS Flaw’s security advisory

Apple has released security updates to address vulnerabilities in iOS and macOS, including a new zero-day flaw that is being actively exploited by…

30 October 2022

Advisory: Google Zero-day vulnerability Patch Advisory

Google has released an emergency security update for the Chrome desktop web browser to address a single vulnerability known to be exploited in…

19 October 2022

Advisory: Apache CVE

Apache has released a security update to address a vulnerability affecting different versions of their software.

	info@ncsa.gov.rw
	9009 / 0781813310
	‎+250 791 445 224

Zimbra has released security updates to address vulnerabilities affecting Ubuntu and Redhat installation versions.

Affected systems

Affected systems include Zimbra 9.0.0 Patch-27 and Zimbra 8.8.8.15 Patch-34

Security Risks

An attacker can use the cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio.

Zimbra's sudo configuration permits the Zimbra user to execute the zmslapd binary as root with arbitrary parameters.

XSS can occur via one of the attributes of an IMG element, leading to information disclosure.

XSS can occur via one attribute in the search component of webmail, leading to information disclosure.

XSS can occur via one of the attributes in composing a component of webmail, leading to information disclosure.

XSS can occur via one of the attributes in the calendar component of webmail, leading to information disclosure.