A one-click security vulnerability in all versions of Zimbra Collaboration Suite has been discovered that could allow an unauthenticated attacker to gain access to a Zimbra account.
To fix this vulnerability install the latest Zimbra patch (by using apt or yum), the vulnerability is fixed in:
- Daffodil 10.0.3
- 9.0.0 Kepler Patch 35
- 8.8.15 Joule Patch 42
In case you are unable to install the latest patch, you can obtain manual mitigation steps via Zimbra Support.
Zimbra Security Update
-
barrydegraaff
- Zimbra Employee
- Posts: 237
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Zimbra Security Update
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Re: Zimbra Security Update
Hi,
Thanks, please can you give detail what are this mitigation action, for OSE?
Thanks, please can you give detail what are this mitigation action, for OSE?
-
barrydegraaff
- Zimbra Employee
- Posts: 237
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Zimbra Security Update
For Zimbra 8 OSE you can update using yum/apt update. For other versions you can rebuild from source and we will release the mitigation steps later.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
-
glenndm
- Advanced member
- Posts: 125
- Joined: Fri Sep 12, 2014 10:35 pm
- ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Re: Zimbra Security Update
Hi,
Following the alert, I've updated zimbra (NE) using apt
before update, About showed Zimbra 8.8.15_GA_4545 (build 20230516032547)
after update, About shows Zimbra 8.8.15_GA_4565 (build 20230707032631)
zmcontrol -v shows:
Release 8.8.15.GA.3829.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.15_P41.
given the date, is the patch 42 applied?
thank you and zimbra support people
Following the alert, I've updated zimbra (NE) using apt
before update, About showed Zimbra 8.8.15_GA_4545 (build 20230516032547)
after update, About shows Zimbra 8.8.15_GA_4565 (build 20230707032631)
zmcontrol -v shows:
Release 8.8.15.GA.3829.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.15_P41.
given the date, is the patch 42 applied?
thank you and zimbra support people
-
oetiker
- Outstanding Member
- Posts: 259
- Joined: Fri Mar 07, 2014 1:05 pm
- Location: Switzerland
- ZCS/ZD Version: Release 10.0.5.GA.4518.UBUNTU20_64
- Contact:
Re: Zimbra Security Update
In my case it looks good
Zimbra 8.8.15_GA_4562 (build 20230707032631)
did you run
Zimbra 8.8.15_GA_4562 (build 20230707032631)
Code: Select all
$ zmcontrol -v shows
Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 NETWORK edition, Patch 8.8.15_P42.
Code: Select all
$ zmcontrol restart
Re: Zimbra Security Update
Code: Select all
Release 8.8.15_GA_3869.RHEL7_64_20190917004220 RHEL7_64 NETWORK edition, Patch 8.8.15_P42.
Re: Zimbra Security Update
barrydegraaff wrote: ↑Wed Aug 23, 2023 8:10 am For Zimbra 8 OSE you can update using yum/apt update. For other versions you can rebuild from source and we will release the mitigation steps later.
Thanks, one question on P42 release notes appears
From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
but link doesn't work and we can't see what are recommended actions in this step
Thanks
-
barrydegraaff
- Zimbra Employee
- Posts: 237
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Zimbra Security Update
Code: Select all
zmprov md example.com zimbraVirtualHostName zimbra.example.com
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
-
barrydegraaff
- Zimbra Employee
- Posts: 237
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Zimbra Security Update
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Re: Zimbra Security Update
The release notes say :
"The patch will remove 3 files after which a mailbox restart is required, in case you cannot install the latest patch, manual mitigation steps (really simple ones) will be available via Zimbra Support Portal. "
It doesn't take much detective work looking at the latest zimbra-patch to see what it removes.
"The patch will remove 3 files after which a mailbox restart is required, in case you cannot install the latest patch, manual mitigation steps (really simple ones) will be available via Zimbra Support Portal. "
It doesn't take much detective work looking at the latest zimbra-patch to see what it removes.