CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Ask questions about your setup or get help installing ZCS server (ZD section below).
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Mon Mar 26, 2018 1:33 pm

Hello all.

Another one...
It's from last january, went in the bugtraq mailing-list today.

About the issue (quoting the author):
This issue was successfully tested on ZCS 8.7.11_GA_1854 (build 20170531151956). It is however likely that this issue is present in all versions of ZCS from version 8.5.0 on.

About the fix:
Patch in 8.8.7
Patch in 8.7.11 Patch 1
No information about 8.6

About Zimbra's security advisory wiki page:
The vulnerablity is known, the page is not up to date (no date, nothing about 8.6).
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

How long will it take this time to have some informations (thinking of this one: viewtopic.php?f=13&t=63390)

And, while we're at it, what about news about the ClamAV issue?


Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Mon Mar 26, 2018 1:54 pm

User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1738
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 3 Network Edition
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby L. Mark Stone » Mon Mar 26, 2018 2:16 pm

FWIW, I've found that the Release Notes for an upcoming version are posted as a work in process at least a few days before the next version is actually released.

So at this writing, 8.8.7 is the current Stable GA release, but the Release Notes (incomplete at the moment) for 8.8.8 are available:
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8

My experience has been that, much like pm.zimbra.com used to work, bugs when fixed and verified are added to the Release Notes. Same for Security Fixes.

So we get at least some visibility into what's coming up in the next few days/weeks, and can plan for upgrades and advise our customers accordingly.

Hope that helps,
Mark
_____________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP and Consulting https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Wed Mar 28, 2018 8:12 am

As the bug is (once again) private (even when logged in bugzilla), I created a support case.
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Wed Mar 28, 2018 11:04 am

Vulnerability has been confirmed by support.

Initial answer: "This vulnerability is fixed in ZCS 8.7.11 patch 1, 8.8.7 and 8.8.8 versions. ZCS 8.6.x is reaching end of support (...). Hence, we recommend you to upgrade the server as early as possible to a later release where the vulnerability has been addressed."
Second answer: "all supported versions before 8.8.7 are vulnerable".

A couple additional info by me:
"reaching end or support" actually means in 5 months (September)
8.7.11-P1, while patched against this vulnerability is not usable in a country with accented characters (see https://bugzilla.zimbra.com/show_bug.cgi?id=107700) and is not patched not new vulnerabilities already known (see 8.8.8).
8.8.7, while patched against this vulnerability, is not against new ones (see 8.8.8).

Which ZCS version are we supposed to use?
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Fri Mar 30, 2018 5:19 am

Last news from support: "It is unlikely that the vulnerability will be fixed in ZCS 8.6 given the version is reaching end of support soon" and "We are going to report this request to our development team. We will let you know about the status as we hear from the development team. "

Where is the commitment we were talked about last week in Paris?

At least we know now that "soon" means "in five months".
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Tue Apr 03, 2018 11:26 am

Patch will be delivered (with a few backported bugs).
No ETA yet.
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Sun May 06, 2018 1:57 pm

Still no news.

Last rants here: viewtopic.php?f=15&t=64023&p=283459#p283459
Klug
Elite member
Elite member
Posts: 2277
Joined: Mon Dec 16, 2013 11:35 am
Contact:

Re: CVE-2018-6882 Zimbra Collaboration Suite - Stored Cross-Site Scripting

Postby Klug » Mon May 14, 2018 8:24 am

Patch was released: viewtopic.php?f=8&t=64177

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 5 guests