=====================================================================

                              CERT-Renater

                   Note d'Information No. 2023/VULN094

_____________________________________________________________________

DATE                : 23/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zimbra versions prior to 
       Kepler 9.0.0 Patch 30 GA, Joule 8.8.15 Patch 37 GA.

=====================================================================
https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P30#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P37#Security_Fixes
_____________________________________________________________________

Zimbra Collaboration Kepler 9.0.0 Patch 30 GA Release


Security Fixes

Summary     CVE-ID     CVSS Score     Zimbra Rating

Multiple security issues related possibility of RXSS attack related to 
printing messages and appointments have been fixed. 	TBD   TBD    Low

The OpenSSL package has been upgraded to version 8.7b4 to fix multiple 
vulnerabilities.   CVE-2023-0286 CVE-2022-4304    TBD    Low

Previously, the account status was not validated when sending emails 
using 2FA. Added additional validations for user accounts to check the 
account status and allow email operations. 	TBD 	TBD 	Medium

The Perl compress zlib package has been upgraded to version 2.103-1 to 
fix out-of-bounds access vulnerability. 	CVE-2018-25032 CVE-2018-25032 
   7.5      Low

Note: Additional configuration for further hardening your Zimbra setup 
can be found on the Zimbra Support Portal. It is recommended that all 
customers consider these additional steps. If someone had applied this 
configuration previously, then after upgrading to this patch, they will 
have to re-apply the same configuration.

_____________________________________________________________________

Zimbra Collaboration Joule 8.8.15 Patch 37 GA Release


Security Fixes

Summary 	CVE-ID 	CVSS Score 	Zimbra Rating

The OpenSSL package has been upgraded to version 8.7b4 to fix multiple 
vulnerabilities. 	CVE-2023-0286 CVE-2022-4304 	TBD 	Low

Previously, the account status was not validated when sending emails 
using 2FA. Added additional validations for user accounts to check the 
account status and allow email operations. 	TBD 	TBD 	Medium

The Perl compress zlib package has been upgraded to version 2.103-1 to 
fix out-of-bounds access vulnerability. 	CVE-2018-25032 CVE-2018-25032 
7.5 	Low

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================