Page 3 of 4

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 4:08 pm
by Klug

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 4:16 pm
by msquadrat
Hi Jorge,

jorgedlcruz wrote:Zimbra is going to release a Patch 9 for ZCS 8.6 by latest February 9th. We are working on a solution for Customers running Zimbra Collaboration 8.7 as well.


thanks for the info, I was just about to open a support ticket on this issue :-)

jorgedlcruz wrote:As soon as we have the Release Notes for the Patch 9 for ZCS 8.6 I will publish it here, same for 8.7.11 Patch 1.


Will this really be a 8.7.11.1 or rather an 8.7.12? I hope the latter so we don't get into that weird state with monkey-patched ZCS installations again.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Tue Jan 30, 2018 5:59 pm
by jorgedlcruz
Hello,
As far as I understood it would be a patch instead of a full release, so you can patch quickly your systems without, or with the less possible downtime.

Let me confirm on that, as I've said it will take a us a bit longer than Patch 9 for ZCS 8.6.

Thank you!

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 5:24 pm
by jorgedlcruz
Hi guys,
As we said, we have the Patch 9 for ZCS 8.6 already on the website - https://blog.zimbra.com/2018/02/zimbra-collaboration-8-6-patch-9-now-available-includes-fix-cve-2017-8802/

Best regards

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 5:32 pm
by Klug
Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 6:35 pm
by jorgedlcruz
Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.

Hellom,
I'm talking with Product right now, let me see what happened.

Best regards

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 7:01 pm
by jorgedlcruz
Fixed the blog to match the Security Advisories page

Best regards

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 7:10 pm
by jorgedlcruz
There are other vulnerabilities in 8.6, and we're working on addressing all. We'll be forthcoming with further patches.

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Fri Feb 09, 2018 11:27 pm
by Klug
Which ones?
We still don't know which vulnerabilities are related to 8.6.

Why can't you provide a single patch (especially for several months old vulnerabilities)?

When will the patches will be available?
Next couple of days or we'll have to wait for two weeks between each patch?

What about ClamAV?

Re: CVE-2017-8802 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Posted: Sat Feb 10, 2018 2:42 am
by David Bingham
Klug wrote:Merci.

Does it means 8.6 is not vulnerable to all other XSS discovered in 2017 (such as CVE-2017-17703)?
Because the Security Advisories page on the wiki still doesn't give any information on vulnerable versions, bug per bug (and the bug are private).

CVE-2017-8802 is rated as "minor" by Zimbra on the Security Advisories page.
It's rated as "medium" in the blog post.


Brief Intro: My name is David Bingham, and I've recently joined the Zimbra org as a Technical Product Manager. In Synacor I was previously TPM for Video-on-demand, after leading the engineering team there for some time.

Gaffes with the release notes for 8.8.6 and 8.6 Patch 9 were mine - I'm learning on the job, and have made a few mistakes. (I prefer to think of them as learning opportunities!)

CVE-2017-17703 was, in fact, part of 8.6 Patch 9 - the security pages and release notes have been updated accordingly. Since the support for 8.6 was extended beyond the original EOL of September 2017, we are preparing to deliver additional patches, which will include back-ports of fixes. In some cases, work-arounds are provided in the bug notes, as per the Security Response Policy.

I like the idea of being more specific about affected versions; typically it's assumed that all-previous-versions are impacted, but that's not always the case. I'll see what we can do to clarify that.

The "minor" / "medium" confusion was because I copied the CVSS v3 value instead of v2. Apologies for that, thanks for catching it!

None of the security bugs should be private, for people who have created bugzilla accounts. If that's not the case, please do let us know.