Navigation

Patch Release: Multiple security issues related to Cross-Site Scripting (XSS) addressed and resolved

By on September 4, 2024 in Product News, Product Updates, Security & Privacy

Patch Security Severity: Medium 

Deployment Risk: Medium

This release focuses on essential security and improving user experience for the following editions

Support, security patches, or updates for Zimbra 9.0.0 General Support will last through 12/31/2024

One-time fix for Zimbra 8.8.15 

Zimbra 8.8.15 has reached the end of general support since last year. However, a one-time fix is delivered for a critical security issue that has a significant impact on many deployments that are still running in this version. It is recommended that you upgrade to the latest Zimbra Daffodil version.

Patch updated on Sep 04 include the following in their respective releases

What’s New

Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

RHEL 9, Rocky 9, Oracle 9 Support (Beta)
Available for 10.1.1. Watch for the GA announcement in an upcoming patch release.

Ubuntu  22 GA
Available for 10.1.1. Ubuntu 22 Pro subscription is required to enable FIPS mode.

Zimbra Collaboration
Hide Alias in GAL feature enables the admin to hide the alias for the users.  Admin can control this through a CLI and Admin Console.

Modern Web App
New features that comply with usability guidelines and to improve mobile usability experience have been added. Users may now export and download emails as EML files, enjoy better calendar management, and access to more font type options.

And many more new features

Security Enhancements 

Cross-Site Scripting (XSS) 
Multiple issues addressed and resolved

Fixed Issues

  • Zimbra Collaboration
  • Modern Web App
  • Classic Web App 
  • Admin Web Console
  • Zimbra Connector for Outlook 

#ICYMI (In-Case-You-Missed-It)

(1) Price Adjustments

Zimbra has introduced a price increase on all Zimbra offerings to take effect on Oct 1, 2024.

While Zimbra has maintained stable pricing for the last ten years, the inflation environment has made it harder to remain the same.

We are prioritizing innovative features in a more frequent release cadence. This aligns with our planned price increase in October, ensuring our partners and customers receive enhanced value in your investments.

Visit the Partner Portal to download the new price list. Customers are advised to contact your Zimbra representative for more details.  

 

(2) New License for Zimbra Daffodil 10.1

It is mandatory to obtain a new license key to run the Zimbra Daffodil 10.1 software 
You will not be able to proceed without a new Zimbra Daffodil V10.1 license key (including trial license) 

Before installation, it is highly recommended to review the release notes and installer guides to ensure a smooth setup process –

Zimbra Chat and Video will be available in the coming weeks. 

 

(3) ZCO Email Functionality

Upgrade to the latest Outlook version and enjoy seamless email sending through the latest ZCO build.

 

You may find the most recent ZCO package at https://www.zimbra.com/product/addons/zimbra-connector-for-outlook-download/

Refer to the release notes for the patch installation on Red Hat and Ubuntu platforms.

An upgrade to the latest patch for your version is highly recommended. Refer to our blog and the Zimbra Security Center for steps to ensure your system is safe.

2 Responses to Patch Release: Multiple security issues related to Cross-Site Scripting (XSS) addressed and resolved

  1. Geert September 6, 2024 at 4:08 AM #

    This patch security severity is rated “medium”, yet there is one “critical security issue that has a significant impact on many deployments that are still running in this version”, that even warranted a patch release for Zimbra 8.8.15 past its EOL date?

    Which one is the critical issue please, so we can focus on it?
    Is it postjournal? As a mitigation, this file can simply be removed on most systems as it’s completely optional?

    Reply
    • Ashish Kataria September 19, 2024 at 3:21 AM #

      Hi Geert

      The patch you mentioned does indeed address a critical vulnerability related to the postjournal binary. To mitigate this issue, Zimbra has already provided a patch for the postjournal binary. While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation.
      For Zimbra systems where the postjournal feature is not enabled and the patch cannot be applied immediately, removing the postjournal binary could be considered as a temporary measure until the patch can be applied.
      We strongly recommend applying the provided patches to ensure proper mitigation of this vulnerability.

      Ashish Kataria
      Security Architect Engineer | Synacor

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures