ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bulletxt
Advanced member
Advanced member
Posts: 81
Joined: Sat Sep 13, 2014 1:08 am

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by bulletxt »

ghen wrote:Yes, we did the same on 8.8.15 (we don't want to go to P33 yet because of this regression).

Code: Select all

 	     # block MailboxImportServlet requests for CVE-2022-37042 exploit
 	     location = /service/extension/backup/mboximport {
 	         return 403;
 	     }
 

Hi Ghen
first of all thanks for your tips. Just a question: you are on Network edition right? Because I'm trying the "curl" command and get a 404 instead of 401 . I tried both on 8.8.15 patch 31 OSS and 9 OSS. It seems only NE is affected. Can you confirm?
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by maxxer »

bulletxt wrote:first of all thanks for your tips. Just a question: you are on Network edition right? Because I'm trying the "curl" command and get a 404 instead of 401 . I tried both on 8.8.15 patch 31 OSS and 9 OSS. It seems only NE is affected. Can you confirm?
Are you sure you have Web Proxy enabled? I had a very old installation upgraded to 9 where I had proxy but just for imap/pop3, not for web
https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: ZCS 9 Patch 26 available & Zimbra ZCS OSS Build

Post by ghen »

bulletxt wrote:Just a question: you are on Network edition right? Because I'm trying the "curl" command and get a 404 instead of 401 . I tried both on 8.8.15 patch 31 OSS and 9 OSS. It seems only NE is affected. Can you confirm?
Indeed, the mboximport feature, and thus this vulnerability, is only present in NE, not in OSS.
Post Reply