Hello all.
Another one...
It's from last january, went in the bugtraq mailing-list today.
About the issue (quoting the author):
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.
About the fix:
Patch in 8.8.7
Patch in 8.7.11 Patch 1
No information about 8.6
About Zimbra's security advisory wiki page:
The vulnerablity is known, the page is not up to date (no date, nothing about 8.6).
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
How long will it take this time to have some informations (thinking of this one: viewtopic.php?f=13&t=63390)
And, while we're at it, what about news about the ClamAV issue?
CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
-
- Ambassador
- Posts: 2767
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
The fix is part of 8.8.7 and 8.7.11-P1.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1
What about 8.6-P9, not vulnerable or not fixed?
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P9
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P1
What about 8.6-P9, not vulnerable or not fixed?
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.6.0/P9
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
FWIW, I've found that the Release Notes for an upcoming version are posted as a work in process at least a few days before the next version is actually released.
So at this writing, 8.8.7 is the current Stable GA release, but the Release Notes (incomplete at the moment) for 8.8.8 are available:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8
My experience has been that, much like pm.zimbra.com used to work, bugs when fixed and verified are added to the Release Notes. Same for Security Fixes.
So we get at least some visibility into what's coming up in the next few days/weeks, and can plan for upgrades and advise our customers accordingly.
Hope that helps,
Mark
So at this writing, 8.8.7 is the current Stable GA release, but the Release Notes (incomplete at the moment) for 8.8.8 are available:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8
My experience has been that, much like pm.zimbra.com used to work, bugs when fixed and verified are added to the Release Notes. Same for Security Fixes.
So we get at least some visibility into what's coming up in the next few days/weeks, and can plan for upgrades and advise our customers accordingly.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
-
- Ambassador
- Posts: 2767
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
As the bug is (once again) private (even when logged in bugzilla), I created a support case.
-
- Ambassador
- Posts: 2767
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Vulnerability has been confirmed by support.
Initial answer: "This vulnerability is fixed in ZCS 8.7.11 patch 1, 8.8.7 and 8.8.8 versions. ZCS 8.6.x is reaching end of support (...). Hence, we recommend you to upgrade the server as early as possible to a later release where the vulnerability has been addressed."
Second answer: "all supported versions before 8.8.7 are vulnerable".
A couple additional info by me:
"reaching end or support" actually means in 5 months (September)
8.7.11-P1, while patched against this vulnerability is not usable in a country with accented characters (see https://bugzilla.zimbra.com/show_bug.cgi?id=107700) and is not patched not new vulnerabilities already known (see 8.8.8).
8.8.7, while patched against this vulnerability, is not against new ones (see 8.8.8).
Which ZCS version are we supposed to use?
Initial answer: "This vulnerability is fixed in ZCS 8.7.11 patch 1, 8.8.7 and 8.8.8 versions. ZCS 8.6.x is reaching end of support (...). Hence, we recommend you to upgrade the server as early as possible to a later release where the vulnerability has been addressed."
Second answer: "all supported versions before 8.8.7 are vulnerable".
A couple additional info by me:
"reaching end or support" actually means in 5 months (September)
8.7.11-P1, while patched against this vulnerability is not usable in a country with accented characters (see https://bugzilla.zimbra.com/show_bug.cgi?id=107700) and is not patched not new vulnerabilities already known (see 8.8.8).
8.8.7, while patched against this vulnerability, is not against new ones (see 8.8.8).
Which ZCS version are we supposed to use?
-
- Ambassador
- Posts: 2767
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Last news from support: "It is unlikely that the vulnerability will be fixed in ZCS 8.6 given the version is reaching end of support soon" and "We are going to report this request to our development team. We will let you know about the status as we hear from the development team. "
Where is the commitment we were talked about last week in Paris?
At least we know now that "soon" means "in five months".
Where is the commitment we were talked about last week in Paris?
At least we know now that "soon" means "in five months".
-
- Ambassador
- Posts: 2767
- Joined: Mon Dec 16, 2013 11:35 am
- Location: France - Drôme
- ZCS/ZD Version: All of them
- Contact:
Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting
Patch will be delivered (with a few backported bugs).
No ETA yet.
No ETA yet.