CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: CVE-2019-9670 being actively exploited

Post by zim_mike »

So much reading that I'm not sure at this point so best to simply ask. Please don't flame as saying I didn't read because I have but not 100% clear.

I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?
apiening
Posts: 30
Joined: Tue Aug 30, 2016 9:57 pm

Re: CVE-2019-9670 being actively exploited

Post by apiening »

zim_mike wrote:I'm running 8.8.11 GA 3799 FOSS, do I need to patch, update, do anything? Is this version secure now?
You can see which vulnerability is fixed or patched in which version on this overview page: https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
I would suggest to update to the latest version in case you're unsure. Keeping the installation updated is generally a good thing in terms of security.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: CVE-2019-9670 being actively exploited

Post by zim_mike »

Thanks for the lead, I'll take a look. It took a while to get back to this because I didn't get an email about the post :).
Doesn't the server or the client let you know when there are updates?
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: CVE-2019-9670 being actively exploited

Post by halfgaar »

zim_mike wrote:Doesn't the server or the client let you know when there are updates?
It doesn't seem to, to my dismay :(
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: CVE-2019-9670 being actively exploited

Post by L. Mark Stone »

The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
fatemi
Posts: 2
Joined: Sat Feb 15, 2020 9:09 am

Re: CVE-2019-9670 being actively exploited

Post by fatemi »

Hi
I have a problem to install the patch for this bug. when I use CLI to show my Zimbra version it displays Release 8.5.0_GA_3042.RHEL6_64_20140828192005 RHEL6_64 FOSS edition, Patch 8.5.0_P2. But when I use GUI (About) this display: 8.6.0_GA_1153.FOSS.
Please guide me on how can I solve it and what of them is correct?
Thank you so much.
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: CVE-2019-9670 being actively exploited

Post by halfgaar »

The first thing I'd try, is to just upgrade to the latest version (8.8.15 Patch-7). You can download it at zimbra.org (although I don't know why they offer that, as opposed to zimbra.com, where you have to fill out a form for the open source edition).

There are some difficulties upgrading from 8.6 to 8.7, see here. Always make a easy to restore backup, before upgrading.
fatemi
Posts: 2
Joined: Sat Feb 15, 2020 9:09 am

Re: CVE-2019-9670 being actively exploited

Post by fatemi »

L. Mark Stone wrote:The version check script checks for new versions, so if Synacor released an 8.8.16 version of Zimbra, the version check script would notify you.

Patches are as you know repo-based, and Zimbra has committed to releasing Patches on a monthly schedule.

So apt-get update && apt list —upgradable will let you know if there are any Zimbra and/or operating system updates available.

Plus, 8.8.15 is the only supported version of Zimbra available at the moment.

Hope that helps,
Mark

Thank you so much mark.
I use " zmcontrol -v" and display zimbra 8.5.0.
but when i use GUI " about section from the top menu" display 8.6.0.
Why are the two different and which is correct?

best regard
fatemi
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: CVE-2019-9670 being actively exploited

Post by phoenix »

Whichever version of ZCS it is you should not me using it, i'd suggest you get onto the most recent 8.8.15 ASAP.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Post Reply