Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by jeastman »

Hello Zimbra Friends,

A new security patch has been released to further address CVE-2022-27924. This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.

Security patches have been released for both 8.8.15 (Patch 31.1 release notes) and 9.0.0 (Patch 24.1 release notes).

We will continue to provide additional information if any becomes available on the Zimbra Blog and the Zimbra Security Center.

Thanks.
John Eastman
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by ghen »

Hi

This patch involves both nginx and mailboxd, and changes the format of keys stored in memcache.
In which order should we upgrade a multi-server installation in this case, nginx first or mailboxd first?
And are rolling upgrades supported, or do we need to upgrade all instances of nginx and/or mailboxd (or both) at the same time, for memcache key compatibility?
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by ghen »

Actually I don't see mailboxd talking to memcached at all, only nginx. So not sure what the mailboxd changes are for.

For rolling upgrade, I assume that for the time we have a mix of nginx versions (pre/post patch), this will only cause some route cache misses -as they use a different key format- but no functional issues?
bulletxt
Advanced member
Advanced member
Posts: 81
Joined: Sat Sep 13, 2014 1:08 am

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by bulletxt »

Hi, I updated to this patch on 8.8.15.

Everything seems to be working fine for the moment
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by jeastman »

Hi ghen,
ghen wrote: In which order should we upgrade a multi-server installation in this case, nginx first or mailboxd first?
And are rolling upgrades supported, or do we need to upgrade all instances of nginx and/or mailboxd (or both) at the same time, for memcache key compatibility?
ghen wrote:Actually I don't see mailboxd talking to memcached at all, only nginx. So not sure what the mailboxd changes are for.

For rolling upgrade, I assume that for the time we have a mix of nginx versions (pre/post patch), this will only cause some route cache misses -as they use a different key format- but no functional issues?
I do not have an answer for this but am pursuing one. I'll cannot guarantee my turn-around time for an answer. I will add a response to this topic with what I find.

If you (or anyone) feels they need immediate assistance on this topic, please file a support ticket and you will at least have something tracked. I'll make sure the support team is aware of the question as well.
John Eastman
User avatar
helper003
Posts: 23
Joined: Fri Feb 12, 2021 3:59 pm

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by helper003 »

Hi,

The release notes have the package version to compare and install.

As far as the concern of order, you can start from any server, either proxy or mailbox.

When you run yum update or apt update you can also list what packages are upgradable.

On the mailbox server also you need to apply the patch because the patch version only shows on the mailbox server not on any other servers.

https://wiki.zimbra.com/wiki/Zimbra_Rel ... .0.0/P24.1

I hope it is clear now.

Thanks
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by ghen »

Looks like the memcache-client code in mailboxd is used by maintenance tools like zmproxypurge - relevant when migrating mailboxes etc, but not an issue during a rolling upgrade in this context.
User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 82
Joined: Tue Mar 29, 2016 1:36 pm

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by jeastman »

In general, any patches or updates should be applied to the proxy (Nginx) first, followed by mailboxd. This holds true for this security patch as well and I can confirm this is the recommendation.

Beyond confirmation from our internal teams with respect to this patch, I can also confirm a number of our partners who have applied the update in this fashion without issue.

Hope this helps.
John Eastman
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by ghen »

Thanks. We upgraded nginx (with the seamless method documented on https://nginx.org/en/docs/control.html#upgrade), and will upgrade mailboxd later (as this implies downtime).
The existing non-hashed memcached entries turnover quickly enough.
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1

Post by ghen »

FYI, details about this exploit are now public: Stealing Clear-Text Credentials via Memcache injection.
Post Reply