[Users] Zimbra vulnerability fix in the new patches released today

L Mark Stone lmstone at lmstone.com
Thu Jun 4 16:03:46 CEST 2020 

We did not get any advance notice Fabio.  I can't speak for other Partners.

I have spoken several times with senior Zimbra execs that failing to disclose exploitable security exploits to partners in advance invites bad actors to attempt to perform the exploits.

As a BSP, I was particularly disappointed about the cross-domain GAL search exploit that was fixed in a recent patch.

Usually, we like to test patches before deploying them, but in that case we felt we had no choice but to apply the patch immediately.

Mark

_________________________________________________

L. Mark Stone, Founder

[https://s3.amazonaws.com/public.missioncriticalemail.com/MissionCriticalEmail+Logo-Horizontal-01-Cropped-300x45.png]
North America's Leading Zimbra VAR/BSP/Training Partner
For Companies With Mission-Critical Email Needs
Need more email security & compliance? Ask me about Mimecast!

________________________________
From: Users <users-bounces at lists.zetalliance.org> on behalf of Fabio S. Schmidt <fabio at bktech.com.br>
Sent: Wednesday, June 3, 2020 10:51 PM
To: users <users at lists.zetalliance.org>
Subject: [Users] Zimbra vulnerability fix in the new patches released today

Hello Guys,

Have you seen the 8.8.15 P10 and 9.0 P3 patches released today?

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P3
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P10

There is a fix for this vulnerabity mentioned:

https://vulmon.com/vulnerabilitydetails?valert=email&qid=CVE-2020-12846

Zimbra prior to 8.8.15 Patch 10 and 9.x prior to 9.0.0 Patch 3 allows remote code execution via an avatar file. There is potential abuse of /service/upload servlet in the webmail subsystem. A user can upload executable files (exe,sh,bat,jar) in the Contact section of the mailbox as an avatar image for a contact. A user will receive a "Corrupt File" error, but the file is still uploaded and stored locally in /opt/zimbra/data/tmp/upload/, leaving it open to possible remote execution.

Did any partner receive a warning from Zimbra about this before the patches were released?

Best regards.
Fabio S. Schmidt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20200604/4401782c/attachment.html>

More information about the Users mailing list