CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Klug
Ambassador
Ambassador
Posts: 2741
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

User avatar
msquadrat
Advanced member
Advanced member
Posts: 183
Joined: Mon Oct 14, 2013 10:09 am

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by msquadrat »

Hi Jorge,
jorgedlcruz wrote: Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.
thanks for the info, I was just about to open a support ticket on this issue :-)
jorgedlcruz wrote: As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.
Will this really be a 8.7.11.1 or rather an 8.7.12? I hope the latter so we don't get into that weird state with monkey-patched ZCS installations again.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Hello,
As far as I understood it would be a patch instead of a full release, so you can patch quickly your systems without, or with the less possible downtime.

Let me confirm on that, as I've said it will take a us a bit longer than Patch 9 for ZCS 8.6.

Thank you!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Hi guys,
As we said, we have the Patch 9 for ZCS 8.6 already on the website - https://blog.zimbra.com/2018/02/zimbra- ... 2017-8802/

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Klug
Ambassador
Ambassador
Posts: 2741
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
Hellom,
I'm talking with Product right now, let me see what happened.

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

Fixed the blog to match the Security Advisories page

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by jorgedlcruz »

There are other vulnerabilities in 8.6, and we're working on addressing all. We'll be forthcoming with further patches.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Klug
Ambassador
Ambassador
Posts: 2741
Joined: Mon Dec 16, 2013 11:35 am
Location: France - Drôme
ZCS/ZD Version: All of them
Contact:

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by Klug »

Which ones?
We still don't know which vulnerabilities are related to 8.6.

Why can't you provide a single patch (especially for several months old vulnerabilities)?

When will the patches will be available?
Next couple of days or we'll have to wait for two weeks between each patch?

What about ClamAV?
User avatar
David Bingham
Posts: 4
Joined: Sat Feb 10, 2018 2:04 am
Location: Ottawa, Ontario, Canada

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Post by David Bingham »

Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.
Brief Intro: My name is David Bingham, and I've recently joined the Zimbra org as a Technical Product Manager. In Synacor I was previously TPM for Video-on-demand, after leading the engineering team there for some time.

Gaffes with the release notes for 8.8.6 and 8.6 Patch 9 were mine - I'm learning on the job, and have made a few mistakes. (I prefer to think of them as learning opportunities!)

CVE-2017-17703 was, in fact, part of 8.6 Patch 9 - the security pages and release notes have been updated accordingly. Since the support for 8.6 was extended beyond the original EOL of September 2017, we are preparing to deliver additional patches, which will include back-ports of fixes. In some cases, work-arounds are provided in the bug notes, as per the Security Response Policy.

I like the idea of being more specific about affected versions; typically it's assumed that all-previous-versions are impacted, but that's not always the case. I'll see what we can do to clarify that.

The "minor" / "medium" confusion was because I copied the CVSS v3 value instead of v2. Apologies for that, thanks for catching it!

None of the security bugs should be private, for people who have created bugzilla accounts. If that's not the case, please do let us know.
Post Reply