Hi, we have zimbra 8.8.15 P11 network edition multi-node server, our audit team run some vulnerability assesment and penetration testing or VAPT below is the result.
MTA/PROXY SERVER VAPT RESULT
Alert details:
Vulnerable Javascript library
Affected files
/js/JQuery_all.js.zgz 1
/yui/2.7.0/animation/animation-debug.js 1
/yui/2.7.0/dragdrop/dragdrop-debug.js 1
/yui/2.7.0/yahoo-dom-event/yahoo-dom-event.js
Severity: Medium
Reported by module: /Scripts/PerFile/Javascript_Libraries_Audit.script
Description
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library. Consult Attack
details and Web References for more information about the affected library and the vulnerabilities that were reported.
Impact
Consult References for more information.
Recommendation
Upgrade to the latest version.
My question is how can i upgrade to the latest version or how can i fix that issue?
--------
MBOX VAPT RESULT
Alert details:
Application error message
Affected files:
/zimbraAdmin/js/XForms_all.js.zgz
/zimbraAdmin/js/Zimbra_all.js.zgz
/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz
Description:
This alert requires manual confirmation
Application error or warning messages may expose sensitive information about an application's internal workings to an
attacker.
Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the
location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the
affected page.
Impact:
Error messages may disclose sensitive information which can be used to escalate attacks.
Recommendation:
Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file
instead of displaying the error to the user.
My question is how can i fix that issue?
Alert details (also in my mailbox server)
Vulnerable Javascript library
Affected files:
/zimbraAdmin/js/Ajax_all.js.zgz 1
/zimbraAdmin/yui/2.7.0/charts/charts-min.js 1
/zimbraAdmin/yui/2.7.0/datasource/datasource-min.js 1
/zimbraAdmin/yui/2.7.0/element/element-min.js 1
/zimbraAdmin/yui/2.7.0/json/json-min.js 1
/zimbraAdmin/yui/2.7.0/yahoo-dom-event/yahoo-dom-event.js
Severity: Medium
Reported by module: /Scripts/PerFile/Javascript_Libraries_Audit.script
Description:
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript
library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities
that were reported.
Impact:
Consult References for more information.
Recommendation:
Upgrade to the latest version.
My question is how can i upgrade this or how can i fix that issue? Hope someone can help me. Thanks in advance
8.8.15-p11 vulnerability assesment
Re: 8.8.15-p11 vulnerability assesment
Hi edisu,
Thank you for reporting the details of your assessment.
The 3rd-party libraries you mentioned (as well as several others) continue to be updated in the product (internal master reference is ZCS-8007 and several "child" issues such as ZCS-8441 which addresses the YUI library you mentioned and ZCS-8012 for JQuery). Most of the work for the full set of changes has been released (like https://github.com/Zimbra/zm-admin-ajax/pull/16 [JQuery update] and others in recent patches), or completed and waiting to be merged (one example being https://github.com/Zimbra/zm-web-client/pull/575 [YUI update]).
You can also keep an eye on the Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) which provides updates on CVE resolution.
If you would like to track the progress further, you can search the code repositories for commits/pull requests associated with the issue ids as well as in the product release notes. You could also use these identifiers when talking to the Zimbra Support team.
Thanks again.
Thank you for reporting the details of your assessment.
The 3rd-party libraries you mentioned (as well as several others) continue to be updated in the product (internal master reference is ZCS-8007 and several "child" issues such as ZCS-8441 which addresses the YUI library you mentioned and ZCS-8012 for JQuery). Most of the work for the full set of changes has been released (like https://github.com/Zimbra/zm-admin-ajax/pull/16 [JQuery update] and others in recent patches), or completed and waiting to be merged (one example being https://github.com/Zimbra/zm-web-client/pull/575 [YUI update]).
You can also keep an eye on the Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) which provides updates on CVE resolution.
If you would like to track the progress further, you can search the code repositories for commits/pull requests associated with the issue ids as well as in the product release notes. You could also use these identifiers when talking to the Zimbra Support team.
Thanks again.
John Eastman
Re: 8.8.15-p11 vulnerability assesment
We already apply the latest patch, zimbra 8.8.15 P11 to be specific but didn't resolve the vulnerabilities in javascript and application error message, we also try to installed latest zimbra which is zimbra 9, and conduct vulnerability scan and the vulnerabilities for javascript and application error still persist. How can i solve this issue?jeastman wrote:Hi edisu,
Thank you for reporting the details of your assessment.
The 3rd-party libraries you mentioned (as well as several others) continue to be updated in the product (internal master reference is ZCS-8007 and several "child" issues such as ZCS-8441 which addresses the YUI library you mentioned and ZCS-8012 for JQuery). Most of the work for the full set of changes has been released (like https://github.com/Zimbra/zm-admin-ajax/pull/16 [JQuery update] and others in recent patches), or completed and waiting to be merged (one example being https://github.com/Zimbra/zm-web-client/pull/575 [YUI update]).
You can also keep an eye on the Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) which provides updates on CVE resolution.
If you would like to track the progress further, you can search the code repositories for commits/pull requests associated with the issue ids as well as in the product release notes. You could also use these identifiers when talking to the Zimbra Support team.
Thanks again.