Zimbra XXE / SSRF Vulnerability Disclosure

0
830

At March 18, 2019 , Rene Ottom, Vice President Product eMail and Collaboration announced that The Zimbra Security team has been working with security researcher An Trinh in advance of his recently-published blog post. In the blog, Trinh details his findings regarding a vulnerability which, if exploited, could allow an attacker to remotely execute code on an affected Zimbra system.

To secure supported versions of Zimbra (8.7 and 8.8)

  • Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
  • Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10

To secure unsupported version of Zimbra (8.6 and earlier)

  • Customers running 8.6 must upgrade to Patch 13 – This Patch is scheduled for release 19 March.
  • Older versions of Zimbra are vulnerable until they are upgraded to a supported version.

NOTE: Zimbra recommends that you always upgrade to the latest version of Zimbra to protect against possible security vulnerabilities.

First of All, you can check your version and see at the following tables of zimbra release and click on the patch that’s matched with your Zimbra version to get the how to update and install the patch:

Zimbra Collaboration

Zimbra release notes are specific to each version of the server. Select your version from the list below to see the release notes for it.

ReleaseCodenamePatch LevelThird-Party Patch LevelGeneral AvailabilityDownload the Release Notes
8.8.11 GA ReleaseHomi-BhabhaPatch 3No released patches 12/17/2018 HTML |  PDF
8.8.10 GA ReleaseKonrad-ZusePatch 7No released patches 10/03/2018 HTML |  PDF
8.8.9 GA ReleaseCuriePatch 9No released patches 07/10/2018 HTML |  PDF
8.8.8 GA ReleaseTuringPatch 10No released patches 04/02/2018 HTML |  PDF
8.8.7 GA ReleaseJudasPriestNo released patchesNo released patches 03/08/2018 HTML |  PDF
8.8.6 GA ReleaseJudasPriestNo released patchesNo released patches 01/15/2018 HTML |  PDF
8.8 GA ReleaseJudasPriestNo released patchesNo released patches 12/12/2017 HTML |  PDF
8.7.11 GA ReleaseJudasPriestPatch 10No released patches 06/08/2017 HTML |  PDF
8.7.10 GA ReleaseJudasPriestNo released patchesNo released patches 05/31/2017 HTML |  PDF
8.7.9 GA ReleaseJudasPriestNo released patchesNo released patches 05/11/2017 HTML |  PDF
8.7.8 Early Developer ReleaseJudasPriestNo released patchesNo released patches 04/27/2017 HTML |  PDF
8.7.7 GA ReleaseJudasPriestNo released patchesNo released patches 04/13/2017 HTML |  PDF
8.7.6 GA ReleaseJudasPriestNo released patchesNo released patches 03/30/2017 HTML |  PDF
8.7.5 GA ReleaseJudasPriestNo released patchesNo released patches 03/16/2017 HTML |  PDF
8.7.4 GA ReleaseJudasPriestNo released patchesNo released patches 03/02/2017 HTML |  PDF
8.7.3 GA ReleaseJudasPriestNo released patchesNo released patches 02/17/2017 HTML |  PDF
8.7.2 GA ReleaseJudasPriestNo released patchesNo released patches 02/02/2017 HTML |  PDF
8.7.1 GA ReleaseJudasPriestNo released patchesNo released patches 10/27/2016 HTML |  PDF
8.7.0 GA ReleaseJudasPriestNo released patchesNo released patches 07/13/2016 PDF |  ePub
8.6.0 GA ReleaseJudasPriestPatch 12No released patches End of General Support 9/30/2018
 12/15/2014
 PDF |  ePub
8.5.1 GA ReleaseJudasPriestNo released patchesNo released patches End of Technical Guidance 9/30/2018
 11/03/2014
 PDF |  ePub
8.5.0 GA ReleaseJudasPriestPatch 2No released patches End of Technical Guidance 9/30/2018
 08/28/2014
 PDF |  ePub
8.0.9 GA ReleaseIronMaidenNo released patchesNo released patches End of Technical Guidance 9/10/2017
 11/03/2014
 PDF |  ePub
8.0.8 GA ReleaseIronMaidenNo released patchesNo released patches End of Technical Guidance 9/10/2017
 09/25/2014
 PDF |  ePub
8.0.7 GA ReleaseIronMaidenPatch 2ZCS 8.0.7 curl patch  |  
OpenSSL Heartbleed and CVE-2014-0224
(CCS Injection Vulnerability) Patch 
 PDF
 |  Download Patch
 End of Technical Guidance 9/10/2017
 04/08/2014
 PDF |  ePub
8.0.6 GA ReleaseIronMaidenNo released patchesOpenSSL Heartbleed and CVE-2014-0224
(CCS Injection Vulnerability) Patch 
 PDF
 |  Download Patch
 End of Technical Guidance 9/10/2017
 12/03/2013
 PDF |  ePub
8.0.5 GA ReleaseIronMaidenPatch 1OpenSSL Heartbleed and CVE-2014-0224
(CCS Injection Vulnerability) Patch 
 PDF
 |  Download Patch
 End of Technical Guidance 9/10/2017
 09/10/2013
 PDF |  ePub
8.0.4 GA ReleaseIronMaidenPatch 2OpenSSL Heartbleed and CVE-2014-0224
(CCS Injection Vulnerability) Patch 
 PDF
 |  Download Patch
 End of Technical Guidance 9/10/2017
 05/24/2013
 PDF |  ePub
8.0.3 GA ReleaseIronMaidenPatch 3OpenSSL Heartbleed and CVE-2014-0224
(CCS Injection Vulnerability) Patch 
 PDF
 |  Download Patch
 End of Technical Guidance 9/10/2017
 03/05/2013
 PDF |  ePub
8.0.2 GA ReleaseIronMaidenPatch 1No released patches End of Technical Guidance 9/10/2017
 12/10/2012
 PDF |  ePub
8.0.1 GA ReleaseIronMaidenNo released patchesNo released patches End of Technical Guidance 9/10/2017
 11/05/2012
 PDF |  ePub
8.0.0 GA ReleaseIronMaidenNo released patchesNo released patches End of Technical Guidance 9/10/2017
 09/07/2012
 PDF |  ePub
7.2.7 GA ReleaseHelixNo released patchesNo released patches End of Technical Guidance 3/31/2015
 03/14/2014
 PDF |  ePub

LEAVE A REPLY

Please enter your comment!
Please enter your name here