Recent Zimbra XXE / SSRF Vulnerability Disclosure

Official Zimbra news, events, releases, and updates.
Post Reply
gbillat
Zimbra Alumni
Zimbra Alumni
Posts: 44
Joined: Fri Oct 18, 2013 9:08 am

Recent Zimbra XXE / SSRF Vulnerability Disclosure

Post by gbillat »

This is a reposting of Rene’s original blog announcement on March 18, 2019.
Please read and be sure that your Zimbra Patches are up-to-date!

Hello Zimbra Friends,

Background

The Zimbra Security team has been working with security researcher An Trinh in advance of his recently-published blog post. In the blog, Trinh details his findings regarding a vulnerability which, if exploited, could allow an attacker to remotely execute code on an affected Zimbra system.

To secure supported versions of Zimbra (8.7 and 8.8)

Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10
To secure unsupported version of Zimbra (8.6 and earlier)

Customers running 8.6 must upgrade to Patch 13 – This Patch is scheduled for release 19 March.
Older versions of Zimbra are vulnerable until they are upgraded to a supported version.
If you require guidance around your upgrade, please contact your Zimbra Partner or Zimbra Support for further information.

NOTE: Zimbra recommends that you always upgrade to the latest version of Zimbra to protect against possible security vulnerabilities.

Many thanks,

Rene Otto

Vice President Product eMail and Collaboration
Post Reply