=================================================================== CERT-Renater Note d'Information No. 2022/VULN377 _____________________________________________________________________ DATE : 12/10/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zimbra versions prior to 9.0.0 Patch 27, 8.8.15 Patch 34. ====================================================================https://blog.zimbra.com/2022/10/new-zimbra-patches-9-0-0-patch-27-8-8-15-patch-34/ https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories _____________________________________________________________________ NEW! Zimbra Patches: 9.0.0 Patch 27 + 8.8.15 Patch 34 by Karyn Tan on October 10, 2022 in Product News, Product Updates, Zimbra Server Hello Zimbra Friends, Customers & Partners, Zimbra 9.0.0 “Kepler” Patch 27 and 8.8.15 “James Prescott Joule” Patch 34 are here. The patches include What’s New, Security Fixes, Fixed Issues and Known Issues as listed in their respective release notes. Please refer to the release notes for the patch installation on Red Hat and Ubuntu platforms. Release Notes: Zimbra 9.0.0 Patch-27 Zimbra 8.8.15 Patch-34 Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps Please refer Zimbra Releases for latest releases and Zimbra Security Center for security updates. Thanks, Your Zimbra Team _____________________________________________________________________ Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version Reporter 80716 An attacker can use cpio package to gain incorrect access to any other user accounts. Zimbra recommends pax over cpio. CVE-2022-41352 9.8 Major 9.0.0 Patch 27 8.8.15 Patch 34 Zimbra's sudo configuration permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. CVE-2022-37393 7.8 Medium 9.0.0 Patch 27 8.8.15 Patch 34 Darren Martyn XSS can occur via one of the attribute of an IMG element, leading to information disclosure. CVE-2022-41348 TBD Medium 9.0.0 Patch 27 XSS can occur via one of attribute in search component of webmail, leading to information disclosure. CVE-2022-41350 TBD Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services XSS can occur via one of attribute in compose component of webmail, leading to information disclosure. CVE-2022-41349 TBD Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services XSS can occur via one of attribute in calendar component of webmail, leading to information disclosure. CVE-2022-41351 TBD Medium 8.8.15 Patch 34 Tin Pham aka TF1T of VietSunshine Cyber Security Services ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================