8.8.15-p11 vulnerability assesment

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
edisu
Posts: 8
Joined: Fri May 01, 2020 3:25 am

8.8.15-p11 vulnerability assesment

Postby edisu » Sat Jul 11, 2020 4:36 pm

Hi, we have zimbra 8.8.15 P11 network edition multi-node server, our audit team run some vulnerability assesment and penetration testing or VAPT below is the result.

MTA/PROXY SERVER VAPT RESULT
Alert details:
Vulnerable Javascript library

Affected files
/js/JQuery_all.js.zgz 1
/yui/2.7.0/animation/animation-debug.js 1
/yui/2.7.0/dragdrop/dragdrop-debug.js 1
/yui/2.7.0/yahoo-dom-event/yahoo-dom-event.js

Severity: Medium
Reported by module: /Scripts/PerFile/Javascript_Libraries_Audit.script

Description
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript library. Consult Attack
details and Web References for more information about the affected library and the vulnerabilities that were reported.

Impact
Consult References for more information.

Recommendation
Upgrade to the latest version.

My question is how can i upgrade to the latest version or how can i fix that issue?
--------
MBOX VAPT RESULT
Alert details:
Application error message

Affected files:
/zimbraAdmin/js/XForms_all.js.zgz
/zimbraAdmin/js/Zimbra_all.js.zgz
/zimbraAdmin/res/I18nMsg,TzMsg,AjxMsg,ZMsg,ZaMsg,ZabMsg,AjxKeys.js.zgz

Description:
This alert requires manual confirmation
Application error or warning messages may expose sensitive information about an application's internal workings to an
attacker.

Acunetix found an error or warning message that may disclose sensitive information. The message may also contain the
location of the file that produced an unhandled exception. Consult the 'Attack details' section for more information about the
affected page.

Impact:
Error messages may disclose sensitive information which can be used to escalate attacks.

Recommendation:
Verify that this page is disclosing error or warning messages and properly configure the application to log errors to a file
instead of displaying the error to the user.

My question is how can i fix that issue?

Alert details (also in my mailbox server)
Vulnerable Javascript library

Affected files:
/zimbraAdmin/js/Ajax_all.js.zgz 1
/zimbraAdmin/yui/2.7.0/charts/charts-min.js 1
/zimbraAdmin/yui/2.7.0/datasource/datasource-min.js 1
/zimbraAdmin/yui/2.7.0/element/element-min.js 1
/zimbraAdmin/yui/2.7.0/json/json-min.js 1
/zimbraAdmin/yui/2.7.0/yahoo-dom-event/yahoo-dom-event.js

Severity: Medium
Reported by module: /Scripts/PerFile/Javascript_Libraries_Audit.script

Description:
You are using a vulnerable Javascript library. One or more vulnerabilities were reported for this version of the Javascript
library. Consult Attack details and Web References for more information about the affected library and the vulnerabilities
that were reported.

Impact:
Consult References for more information.

Recommendation:
Upgrade to the latest version.

My question is how can i upgrade this or how can i fix that issue? Hope someone can help me. Thanks in advance


User avatar
jeastman
Zimbra Employee
Zimbra Employee
Posts: 31
Joined: Tue Mar 29, 2016 1:36 pm

Re: 8.8.15-p11 vulnerability assesment

Postby jeastman » Wed Jul 15, 2020 7:58 pm

Hi edisu,

Thank you for reporting the details of your assessment.

The 3rd-party libraries you mentioned (as well as several others) continue to be updated in the product (internal master reference is ZCS-8007 and several "child" issues such as ZCS-8441 which addresses the YUI library you mentioned and ZCS-8012 for JQuery). Most of the work for the full set of changes has been released (like https://github.com/Zimbra/zm-admin-ajax/pull/16 [JQuery update] and others in recent patches), or completed and waiting to be merged (one example being https://github.com/Zimbra/zm-web-client/pull/575 [YUI update]).

You can also keep an eye on the Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) which provides updates on CVE resolution.

If you would like to track the progress further, you can search the code repositories for commits/pull requests associated with the issue ids as well as in the product release notes. You could also use these identifiers when talking to the Zimbra Support team.

Thanks again.
John Eastman
edisu
Posts: 8
Joined: Fri May 01, 2020 3:25 am

Re: 8.8.15-p11 vulnerability assesment

Postby edisu » Wed Jul 22, 2020 4:17 am

jeastman wrote:Hi edisu,

Thank you for reporting the details of your assessment.

The 3rd-party libraries you mentioned (as well as several others) continue to be updated in the product (internal master reference is ZCS-8007 and several "child" issues such as ZCS-8441 which addresses the YUI library you mentioned and ZCS-8012 for JQuery). Most of the work for the full set of changes has been released (like https://github.com/Zimbra/zm-admin-ajax/pull/16 [JQuery update] and others in recent patches), or completed and waiting to be merged (one example being https://github.com/Zimbra/zm-web-client/pull/575 [YUI update]).

You can also keep an eye on the Zimbra Security Center (https://wiki.zimbra.com/wiki/Security_Center) which provides updates on CVE resolution.

If you would like to track the progress further, you can search the code repositories for commits/pull requests associated with the issue ids as well as in the product release notes. You could also use these identifiers when talking to the Zimbra Support team.

Thanks again.


We already apply the latest patch, zimbra 8.8.15 P11 to be specific but didn't resolve the vulnerabilities in javascript and application error message, we also try to installed latest zimbra which is zimbra 9, and conduct vulnerability scan and the vulnerabilities for javascript and application error still persist. How can i solve this issue?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests