Zimbra issues awaited patch for actively exploited vulnerability

Two weeks ago, we urged readers to apply a workaround for an actively exploited vulnerability in Zimbra Collaboration Suite (ZCS) email servers. Zimbra has released ZCS 10.0.2 that fixes two security issues, including the known bug that could lead to exposure of internal JSP and XML files.

Zimbra is an open source webmail application used for messaging and collaboration. The vulnerability, which could impact the confidentiality and integrity of users’ data, exists in Zimbra Collaboration Suite Version 8.8.15.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

  • CVE-2023-38750: Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability impacting the confidentiality and integrity of data.

CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog which means that all Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by August 17, 2023.

Reportedly, Maddie Stone from the Google Threat Analysis Group (TAG)—which first reported the vulnerability—confirmed that this issue was used by an Advanced Persistent Threat (APT) group in targeted attacks.

An XSS vulnerability allows attackers to inject malicious code into otherwise benign websites. In this case a command that could expose internal JSP and XML files.

A JSP file is a Java document used to dynamically generate a webpage using Jakarta Server Pages (JSP) functions. It is similar to an .ASP or .PHP file, except it contains Java code instead of ActiveX or PHP. Web servers parse JSP files and use them to generate HTML, which is sent to a user’s web browser.

Extensible Markup Language (XML) is the underlying technology in thousands of applications, ranging from common productivity tools like word processing to book publishing software and even complex application configuration systems.

CVE-2023-0464: A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. The OpenSSL package has been upgraded.

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end.

Users that are not ready to install the new version are advised to apply the workaround as recommended by Zimbra.

The Zimbra workaround suggests you apply the following fix manually on all of your mailbox nodes:

  1. Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto
  2. Then open to edit the active file and go to line number 40
  3. Change
    <input name="st" type="hidden" value="${param.st}"/>
    to
    <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

Zimbra notes that a service restart is not required so you can apply the manual workaround without any downtime.


We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

https://blog.malwarebytes.com/feed/

Leave a Reply