Zimbra Collaboration Suite Urgent Patch Releases (Exploit-DB)

Last week, Zimbra issued patch releases for Zimbra Collaboration 8.x and 7.x, resolving two critical security vulnerabilities. It’s strongly recommend that any customer running the following versions of Zimbra Collaboration apply the patches:

8.0.5, 8.0.4, 8.0.3
7.2.5, 7.2.4, 7.2.3, 7.2.2

These issues are being tracked in Zimbra Bugzilla systems as the following:

Bug # 80338
Summary: Privilege Escalation via LFI
Affected Versions: 7.2.2 and 8.0.2 and all previous releases

Bug # 84547
Summary: Critical Security Vulnerability
Affected Versions: 7.2.5 and 8.0.5 and all previous releases

The official patch downloads and release notes can be found here: Network Edition Downloads: Enterprise Messaging and Collaboration Software by Zimbra or for Open Source Edition : Binary Archive for Open Source Editions

Please follow the release notes for installation instructions. Each patch release is a cumulative update, including any fixes from previous patch releases for that version.

More Details :

Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation:

• Bug 80338: Privilege Escalation via LFI
• CVE: https://web.nvd.nist.gov/view/vuln/d…=CVE-2013-7091
• Affected versions: 7.2.2 and 8.0.2 and all previous releases

Bug 84547 is a newer Critical Security Vulnerability (Dec 2013) that has not had further details released (in order to protect other customers):

• Bug 84547: Critical Security Vulnerability
• CVE: https://web.nvd.nist.gov/view/vuln/d…=CVE-2013-7217
• Affected Versions: 7.2.5 and 8.0.5 and all previous releases (except 7.1.4, 7.2.0, 7.2.0 Patch 1, and 7.2.1, which are not susceptible to Bug 84547)

There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:

• Security Guidance for reported “0day Exploit”
• http://www.exploit-db.com/exploits/30085/

And it has been used to install upload rogue Zimlets and bitcoin mining processes (and potentially others) on some customer systems. You can read about the clean-up steps for this here:

• https://wiki.zimbra.com/wiki/Investi…curing_Systems

As noted, there are patches and upgrades available here:

• http://info.zimbra.com/zimbra-news-n…pcoming-events
• Critical Security Patches posted for 8.0.X/7.2.X
• Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases

Please let us know if further questions. Please upgrade or patch at first opportunity. Sorry for the difficulties on this.

I strongly recommend to upgrading all Zimbra version 7.x.x into 7.2.6 and 8.x.x into 8.0.6 if possible. If you can not perform an update in the near future, please go with the above update releases ( only need a few steps than upgrading all services). Based on experience, upgrading Zimbra 6.0.8 in SLES 11 SP1 64 bit into 8.0.6 are worked flawlessly with only a few library update (zlib library). I’ll be post the details later on next tutorial 😉