CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
-
- Ambassador
- Posts: 2758
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Don't forget this one: https://bugzilla.zimbra.com/show_bug.cgi?id=108824
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hi Jorge,
thanks for the info, I was just about to open a support ticket on this issue :-)jorgedlcruz wrote: Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.
Will this really be a 8.7.11.1 or rather an 8.7.12? I hope the latter so we don't get into that weird state with monkey-patched ZCS installations again.jorgedlcruz wrote: As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hello,
As far as I understood it would be a patch instead of a full release, so you can patch quickly your systems without, or with the less possible downtime.
Let me confirm on that, as I've said it will take a us a bit longer than Patch 9 for ZCS 8.6.
Thank you!
As far as I understood it would be a patch instead of a full release, so you can patch quickly your systems without, or with the less possible downtime.
Let me confirm on that, as I've said it will take a us a bit longer than Patch 9 for ZCS 8.6.
Thank you!
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hi guys,
As we said, we have the Patch 9 for ZCS 8.6 already on the website - https://blog.zimbra.com/2018/02/zimbra- ... 2017-8802/
Best regards
As we said, we have the Patch 9 for ZCS 8.6 already on the website - https://blog.zimbra.com/2018/02/zimbra- ... 2017-8802/
Best regards
-
- Ambassador
- Posts: 2758
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Merci.
Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).
CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).
CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Hellom,Klug wrote:Merci.
Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).
CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
I'm talking with Product right now, let me see what happened.
Best regards
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Fixed the blog to match the Security Advisories page
Best regards
Best regards
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
There are other vulnerabilities in 8.6, and we're working on addressing all. We'll be forthcoming with further patches.
-
- Ambassador
- Posts: 2758
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Which ones?
We still don't know which vulnerabilities are related to 8.6.
Why can't you provide a single patch (especially for several months old vulnerabilities)?
When will the patches will be available?
Next couple of days or we'll have to wait for two weeks between each patch?
What about ClamAV?
We still don't know which vulnerabilities are related to 8.6.
Why can't you provide a single patch (especially for several months old vulnerabilities)?
When will the patches will be available?
Next couple of days or we'll have to wait for two weeks between each patch?
What about ClamAV?
- David Bingham
- Posts: 4
- Joined: Sat Feb 10, 2018 2:04 am
- Location: Ottawa, Ontario, Canada
Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Brief Intro: My name is David Bingham, and I've recently joined the Zimbra org as a Technical Product Manager. In Synacor I was previously TPM for Video-on-demand, after leading the engineering team there for some time.Klug wrote:Merci.
Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).
CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
Gaffes with the release notes for 8.8.6 and 8.6 Patch 9 were mine - I'm learning on the job, and have made a few mistakes. (I prefer to think of them as learning opportunities!)
CVE-2017-17703 was, in fact, part of 8.6 Patch 9 - the security pages and release notes have been updated accordingly. Since the support for 8.6 was extended beyond the original EOL of September 2017, we are preparing to deliver additional patches, which will include back-ports of fixes. In some cases, work-arounds are provided in the bug notes, as per the Security Response Policy.
I like the idea of being more specific about affected versions; typically it's assumed that all-previous-versions are impacted, but that's not always the case. I'll see what we can do to clarify that.
The "minor" / "medium" confusion was because I copied the CVSS v3 value instead of v2. Apologies for that, thanks for catching it!
None of the security bugs should be private, for people who have created bugzilla accounts. If that's not the case, please do let us know.