===================================================================                               CERT-Renater

                    Note d'Information No. 2022/VULN351

_____________________________________________________________________

DATE                : 04/10/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zimbra.

====================================================================https://blog.zimbra.com/2022/09/security-update-make-sure-to-install-pax-spax/
___________________________________________________________________

Security Update – make sure to install pax/spax
by Barry De Graaff on September 14, 2022 in PowerTips – Admins,
Security & Privacy


All Zimbra administrators should make sure the pax package is
installed on their Zimbra server. Pax is needed by Amavis to
extract the contents of compressed attachments for virus scanning.

If the pax package is not installed, Amavis will fall-back to using
cpio, unfortunately the fall-back is implemented poorly (by Amavis)
and will allow an unauthenticated attacker to create and overwrite
files on the Zimbra server, including the Zimbra webroot.

For most Ubuntu servers the pax package should already be installed
as it is a dependency of Zimbra. Due to a packaging change in
CentOS, there is a high chance pax is not installed.


You should validate and install pax on all your systems as follows:

Ubuntu
apt install pax

CentOS 7 and derivatives
yum install pax

CentOS 8 and derivatives
dnf install spax


Restart Zimbra using:
sudo su zimbra -
zmcontrol restart


This issue will also be addressed in the next Zimbra patch where
we will make pax a requirement of Zimbra.


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================