Page 1 of 1
CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Mon Mar 26, 2018 1:33 pm
by Klug
Hello all.
Another one...
It's from last january, went in the bugtraq mailing-list today.
About the issue (quoting the author):
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.
About the fix:
Patch in 8.8.7
Patch in 8.7.11 Patch 1
No information about 8.6
About Zimbra's security advisory wiki page:
The vulnerablity is known, the page is not up to date (no date, nothing about 8.6).
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
How long will it take this time to have some informations (thinking of this one:
viewtopic.php?f=13&t=63390)
And, while we're at it, what about news about the ClamAV issue?
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Mon Mar 26, 2018 1:54 pm
by Klug
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Mon Mar 26, 2018 2:16 pm
by L. Mark Stone
FWIW, I've found that the Release Notes for an upcoming version are posted as a work in process at least a few days before the next version is actually released.
So at this writing, 8.8.7 is the current Stable GA release, but the Release Notes (incomplete at the moment) for 8.8.8 are available:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8
My experience has been that, much like pm.zimbra.com used to work, bugs when fixed and verified are added to the Release Notes. Same for Security Fixes.
So we get at least some visibility into what's coming up in the next few days/weeks, and can plan for upgrades and advise our customers accordingly.
Hope that helps,
Mark
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Wed Mar 28, 2018 8:12 am
by Klug
As the bug is (once again) private (even when logged in bugzilla), I created a support case.
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Wed Mar 28, 2018 11:04 am
by Klug
Vulnerability has been confirmed by support.
Initial answer: "This vulnerability is fixed in ZCS 8.7.11 patch 1, 8.8.7 and 8.8.8 versions. ZCS 8.6.x is reaching end of support (...). Hence, we recommend you to upgrade the server as early as possible to a later release where the vulnerability has been addressed."
Second answer: "all supported versions before 8.8.7 are vulnerable".
A couple additional info by me:
"reaching end or support" actually means in 5 months (September)
8.7.11-P1, while patched against this vulnerability is not usable in a country with accented characters (see
https://bugzilla.zimbra.com/show_bug.cgi?id=107700) and is not patched not new vulnerabilities already known (see 8.8.8).
8.8.7, while patched against this vulnerability, is not against new ones (see 8.8.8).
Which ZCS version are we supposed to use?
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Fri Mar 30, 2018 5:19 am
by Klug
Last news from support: "It is unlikely that the vulnerability will be fixed in ZCS 8.6 given the version is reaching end of support soon" and "We are going to report this request to our development team. We will let you know about the status as we hear from the development team. "
Where is the commitment we were talked about last week in Paris?
At least we know now that "soon" means "in five months".
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Tue Apr 03, 2018 11:26 am
by Klug
Patch will be delivered (with a few backported bugs).
No ETA yet.
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Sun May 06, 2018 1:57 pm
by Klug
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Posted: Mon May 14, 2018 8:24 am
by Klug