CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Hello all.

Another one...
It's from last january, went in the bugtraq mailing-list today.

About the issue (quoting the author):
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.

About the fix:
Patch in 8.8.7
Patch in 8.7.11 Patch 1
No information about 8.6

About Zimbra's security advisory wiki page:
The vulnerablity is known, the page is not up to date (no date, nothing about 8.6).
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

How long will it take this time to have some informations (thinking of this one: viewtopic.php?f=13&t=63390)

And, while we're at it, what about news about the ClamAV issue?
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by L. Mark Stone »

FWIW, I've found that the Release Notes for an upcoming version are posted as a work in process at least a few days before the next version is actually released.

So at this writing, 8.8.7 is the current Stable GA release, but the Release Notes (incomplete at the moment) for 8.8.8 are available:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8

My experience has been that, much like pm.zimbra.com used to work, bugs when fixed and verified are added to the Release Notes. Same for Security Fixes.

So we get at least some visibility into what's coming up in the next few days/weeks, and can plan for upgrades and advise our customers accordingly.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

As the bug is (once again) private (even when logged in bugzilla), I created a support case.
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Vulnerability has been confirmed by support.

Initial answer: "This vulnerability is fixed in ZCS 8.7.11 patch 1, 8.8.7 and 8.8.8 versions. ZCS 8.6.x is reaching end of support (...). Hence, we recommend you to upgrade the server as early as possible to a later release where the vulnerability has been addressed."
Second answer: "all supported versions before 8.8.7 are vulnerable".

A couple additional info by me:
"reaching end or support" actually means in 5 months (September)
8.7.11-P1, while patched against this vulnerability is not usable in a country with accented characters (see https://bugzilla.zimbra.com/show_bug.cgi?id=107700) and is not patched not new vulnerabilities already known (see 8.8.8).
8.8.7, while patched against this vulnerability, is not against new ones (see 8.8.8).

Which ZCS version are we supposed to use?
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Last news from support: "It is unlikely that the vulnerability will be fixed in ZCS 8.6 given the version is reaching end of support soon" and "We are going to report this request to our development team. We will let you know about the status as we hear from the development team. "

Where is the commitment we were talked about last week in Paris?

At least we know now that "soon" means "in five months".
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Patch will be delivered (with a few backported bugs).
No ETA yet.
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Still no news.

Last rants here: viewtopic.php?f=15&t=64023&p=283459#p283459
Klug
Ambassador
Ambassador
Posts: 2746
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Patch was released: viewtopic.php?f=8&t=64177
Post Reply