CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
User avatar
msquadrat
Advanced member
Advanced member
Posts: 157
Joined: Mon Oct 14, 2013 10:09 am

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby msquadrat » Tue Jan 30, 2018 4:16 pm

Hi Jorge,

jorgedlcruz wrote:Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.


thanks for the info, I was just about to open a support ticket on this issue :-)

jorgedlcruz wrote:As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.


Will this really be a 8.7.11.1 or rather an 8.7.12? I hope the latter so we don't get into that weird state with monkey-patched ZCS installations again.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Tue Jan 30, 2018 5:59 pm

Hello,
As far as I understood it would be a patch instead of a full release, so you can patch quickly your systems without, or with the less possible downtime.

Let me confirm on that, as I've said it will take a us a bit longer than Patch 9 for ZCS 8.6.

Thank you!
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Fri Feb 09, 2018 5:24 pm

Hi guys,
As we said, we have the Patch 9 for ZCS 8.6 already on the website - https://blog.zimbra.com/2018/02/zimbra-collaboration-8-6-patch-9-now-available-includes-fix-cve-2017-8802/

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
Klug
Elite member
Elite member
Posts: 2270
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Feb 09, 2018 5:32 pm

Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Fri Feb 09, 2018 6:35 pm

Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.

Hellom,
I'm talking with Product right now, let me see what happened.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Fri Feb 09, 2018 7:01 pm

Fixed the blog to match the Security Advisories page

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby jorgedlcruz » Fri Feb 09, 2018 7:10 pm

There are other vulnerabilities in 8.6, and we're working on addressing all. We'll be forthcoming with further patches.
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
Klug
Elite member
Elite member
Posts: 2270
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Feb 09, 2018 11:27 pm

Which ones?
We still don't know which vulnerabilities are related to 8.6.

Why can't you provide a single patch (especially for several months old vulnerabilities)?

When will the patches will be available?
Next couple of days or we'll have to wait for two weeks between each patch?

What about ClamAV?
User avatar
David Bingham
Zimbra Employee
Zimbra Employee
Posts: 4
Joined: Sat Feb 10, 2018 2:04 am
Location: Ottawa, Ontario, Canada

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby David Bingham » Sat Feb 10, 2018 2:42 am

Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.


Brief Intro: My name is David Bingham, and I've recently joined the Zimbra org as a Technical Product Manager. In Synacor I was previously TPM for Video-on-demand, after leading the engineering team there for some time.

Gaffes with the release notes for 8.8.6 and 8.6 Patch 9 were mine - I'm learning on the job, and have made a few mistakes. (I prefer to think of them as learning opportunities!)

CVE-2017-17703 was, in fact, part of 8.6 Patch 9 - the security pages and release notes have been updated accordingly. Since the support for 8.6 was extended beyond the original EOL of September 2017, we are preparing to deliver additional patches, which will include back-ports of fixes. In some cases, work-arounds are provided in the bug notes, as per the Security Response Policy.

I like the idea of being more specific about affected versions; typically it's assumed that all-previous-versions are impacted, but that's not always the case. I'll see what we can do to clarify that.

The "minor" / "medium" confusion was because I copied the CVSS v3 value instead of v2. Apologies for that, thanks for catching it!

None of the security bugs should be private, for people who have created bugzilla accounts. If that's not the case, please do let us know.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 5 guests