Zimbra 8.8.15 patch 33 and Zimbra 9.0.0 patch 26 contain an important security update that fixes an authentication bypass in MailboxImportServlet (CVE-2022-37042 and CVE-2022-27925).
If you are running a Zimbra version that is older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26 you should update to the latest patch as soon as possible.
More information about the specific patch can be found at:
- https://wiki.zimbra.com/index.php/Zimbra_Releases/8.8.15/P33
- https://wiki.zimbra.com/index.php/Zimbra_Releases/9.0.0/P26
You can also check our security center page for the updates on vulnerabilities and its corresponding fixes:
Hello,
I quick question, for those of us that had 8.8.15 P31 installed (fixed the original CVE-2022-27925 categorized as Medium), are we safe from this security issue or we also need to patch as soon as possible?
Please update to the latest patch to apply all security fixes, thanks!
One should wonder why most of the /opt/zimbra tree is owned – and thus writable – by the zimbra user by default.
If /opt/zimbra/jetty/webapps/zimbra/public (and the files in it) were owned by root, the impact of this exploit would have been much less, as an attacker then couldn’t write any files that he can execute remotely.
As a best practice, only logs, databases, and other runtime data (like jetty workdir) should be owned by the service user, and everything else, in particular executables, owned by root.
Can Zimbra please reconsider this ?
Thanks for the feedback, I agree we should consider this, and I have filed your request via ticket ZBUG-2975.
Hello.
After applying this patch, older versions of Outlook (2010 and earlier), stopped authenticating via POP3 SSL and IMAP SSL
Is there any alternative?
Hello Marcelo,
This is probably due to the update of Java to version 17, where some out-of-date TLS algorithms have been disabled. Please open a support case to find out what can be done to enable legacy client support.
Thanks, Barry
Hello, I would like to know what is the relation between GA version or build and patch.
For example, My server is (“NAME” “Zimbra” “VERSION” “8.8.15_GA_4372” “RELEASE” “20220726082327”)
What patch have in my server? 32? 33? 34?
Is my server afected by the vulnerability CVE-2022-38465?
Exist any table or feed to get this informacion?
Thank you so much.
To find the current patch level you can run from the command line:
sudo su zimbra -
zmcontrol -v
Example output:
Release 9.0.0_GA_3924.RHEL7_64_20200331010312 RHEL7_64 NETWORK edition, Patch 9.0.0_P27.
The entire string before Patch is set when you first ran the installer to install Zimbra OR when you did a major version upgrade (8.x to 9.x for example). So the first part does not change that often.