Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Hello Zimbra Friends,
A new security patch has been released to further address CVE-2022-27924. This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.
Security patches have been released for both 8.8.15 (Patch 31.1 release notes) and 9.0.0 (Patch 24.1 release notes).
We will continue to provide additional information if any becomes available on the Zimbra Blog and the Zimbra Security Center.
Thanks.
A new security patch has been released to further address CVE-2022-27924. This issue has been ranked as High by the Zimbra Team and we recommend that you use the most recent release available to avoid any issues.
Security patches have been released for both 8.8.15 (Patch 31.1 release notes) and 9.0.0 (Patch 24.1 release notes).
We will continue to provide additional information if any becomes available on the Zimbra Blog and the Zimbra Security Center.
Thanks.
John Eastman
-
- Outstanding Member
- Posts: 258
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Hi
This patch involves both nginx and mailboxd, and changes the format of keys stored in memcache.
In which order should we upgrade a multi-server installation in this case, nginx first or mailboxd first?
And are rolling upgrades supported, or do we need to upgrade all instances of nginx and/or mailboxd (or both) at the same time, for memcache key compatibility?
This patch involves both nginx and mailboxd, and changes the format of keys stored in memcache.
In which order should we upgrade a multi-server installation in this case, nginx first or mailboxd first?
And are rolling upgrades supported, or do we need to upgrade all instances of nginx and/or mailboxd (or both) at the same time, for memcache key compatibility?
-
- Outstanding Member
- Posts: 258
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Actually I don't see mailboxd talking to memcached at all, only nginx. So not sure what the mailboxd changes are for.
For rolling upgrade, I assume that for the time we have a mix of nginx versions (pre/post patch), this will only cause some route cache misses -as they use a different key format- but no functional issues?
For rolling upgrade, I assume that for the time we have a mix of nginx versions (pre/post patch), this will only cause some route cache misses -as they use a different key format- but no functional issues?
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Hi, I updated to this patch on 8.8.15.
Everything seems to be working fine for the moment
Everything seems to be working fine for the moment
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Hi ghen,
If you (or anyone) feels they need immediate assistance on this topic, please file a support ticket and you will at least have something tracked. I'll make sure the support team is aware of the question as well.
ghen wrote: In which order should we upgrade a multi-server installation in this case, nginx first or mailboxd first?
And are rolling upgrades supported, or do we need to upgrade all instances of nginx and/or mailboxd (or both) at the same time, for memcache key compatibility?
I do not have an answer for this but am pursuing one. I'll cannot guarantee my turn-around time for an answer. I will add a response to this topic with what I find.ghen wrote:Actually I don't see mailboxd talking to memcached at all, only nginx. So not sure what the mailboxd changes are for.
For rolling upgrade, I assume that for the time we have a mix of nginx versions (pre/post patch), this will only cause some route cache misses -as they use a different key format- but no functional issues?
If you (or anyone) feels they need immediate assistance on this topic, please file a support ticket and you will at least have something tracked. I'll make sure the support team is aware of the question as well.
John Eastman
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Hi,
The release notes have the package version to compare and install.
As far as the concern of order, you can start from any server, either proxy or mailbox.
When you run yum update or apt update you can also list what packages are upgradable.
On the mailbox server also you need to apply the patch because the patch version only shows on the mailbox server not on any other servers.
https://wiki.zimbra.com/wiki/Zimbra_Rel ... .0.0/P24.1
I hope it is clear now.
Thanks
The release notes have the package version to compare and install.
As far as the concern of order, you can start from any server, either proxy or mailbox.
When you run yum update or apt update you can also list what packages are upgradable.
On the mailbox server also you need to apply the patch because the patch version only shows on the mailbox server not on any other servers.
https://wiki.zimbra.com/wiki/Zimbra_Rel ... .0.0/P24.1
I hope it is clear now.
Thanks
-
- Outstanding Member
- Posts: 258
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Looks like the memcache-client code in mailboxd is used by maintenance tools like zmproxypurge - relevant when migrating mailboxes etc, but not an issue during a rolling upgrade in this context.
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
In general, any patches or updates should be applied to the proxy (Nginx) first, followed by mailboxd. This holds true for this security patch as well and I can confirm this is the recommendation.
Beyond confirmation from our internal teams with respect to this patch, I can also confirm a number of our partners who have applied the update in this fashion without issue.
Hope this helps.
Beyond confirmation from our internal teams with respect to this patch, I can also confirm a number of our partners who have applied the update in this fashion without issue.
Hope this helps.
John Eastman
-
- Outstanding Member
- Posts: 258
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
Thanks. We upgraded nginx (with the seamless method documented on https://nginx.org/en/docs/control.html#upgrade), and will upgrade mailboxd later (as this implies downtime).
The existing non-hashed memcached entries turnover quickly enough.
The existing non-hashed memcached entries turnover quickly enough.
-
- Outstanding Member
- Posts: 258
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Zimbra Security Patches: 9.0.0 Patch 24.1 + 8.8.15 Patch 31.1
FYI, details about this exploit are now public: Stealing Clear-Text Credentials via Memcache injection.