Security Advisory: Zimbra Community 8.x Security Vulnerability

Security is top of mind for everyone here at Zimbra, which is why we want to inform you that our team just discovered a security vulnerability in Zimbra Community 8.0 (formerly Telligent Community and Telligent Enterprise). The vulnerability is relegated to a very specific scenario in which a user within Zimbra Community 8.0 is able to view a user password via a specific API call.

Summary: The Zimbra development team has identified a very specific scenario where a user’s password in Community 8 is stored insecurely.

Affected Versions: 8.0.0.37997 (unpatched), 8.0.1.39116

Vulnerability Scoring: CVSS: 1.4

Obtaining a fix: http://telligent.com/support/m/support/1354746.aspx

Details: The administrative feature to create users leverages non-public APIs that can force a user’s password to be inadvertently stored insecurely.

Reporter: Alex Crome (Zimbra)

When does this occur?

1. Creating a user through the control panel using Membership Administration (requires administrative privileges)

2. Could occur if a custom plugin was deployed that copied off the extended attributes on a create user event and in turn re-saved those attributes using the UpdateUser API (this is unlikely, but possible)

If you have any questions or would like assistance with applying the patch, please contact support.

,

4 Responses to Security Advisory: Zimbra Community 8.x Security Vulnerability

  1. Kelly July 8, 2014 at 11:23 AM #

    Hi, We are having some problems after upgrade the Zimbra to version 8.0.7. One of them is the automatic actualization in the inbox. We observe that this happens when any change is made in the Preferences in mail account. One example: when the mail signature was changed. Is there any procedure or patch that we can do? Thanks in advance.

  2. Roberto Gil July 9, 2014 at 11:06 AM #

    Eu preciso de ajuda. Houve um bombardeio de vírus ao servidor administrador do ZIMBRA no Brasil, através da INOVA. Meu e-mail foi logged off e a minha password foi trocada. A INOVA não responde aos telefonemas ou tentativas de contato. O que eu tenho que fazer???

  3. Roberto Gil July 9, 2014 at 11:13 AM #

    Favor, respostas aqui ou para o email: rguchoa@ig.com.br

Trackbacks/Pingbacks

  1. Security Advisory: Zimbra Community 8.x Security Vulnerability - Zimbra Security News - Zimbra Security Center - Zimbra | Telligent - July 1, 2014

    […] This advisory was originally published here.  […]

Leave a Reply