Urgency on Security Fixes for Bug 80338 and Bug 84547

Urgency on Security Fixes for Bug 80338 and Bug 84547

Submitted by admin on Tue, 02/11/2014 - 11:20

Last updated on Tue, 02/11/2014 - 11:46

Bug 80338 (Feb 2013) is a Local File Inclusion vulnerability that leads to potential Privilege Escalation:

Bug 80338: Privilege Escalation via LFI
CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091&cid=3

Bug 84547 is a newer Critical Security Vulnerability (Dec 2013) that has not had further details released (in order to protect other customers):

Bug 84547: Critical Security Vulnerability
CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7217

There is great urgency for getting this patched on your platform, as there is an exploit for Bug 80338 in the wild, discussed here:

http://www.zimbra.com/forums/announcements/67236-security-guidance-reported-0day-exploit.html
http://www.exploit-db.com/exploits/30085/

And it has been used to install upload and bitcoin mining Zimlets (and potentially others) on some customer systems. You can read about the clean-up steps for this here:

https://wiki.zimbra.com/wiki/Investigating_and_Securing_Systems

As noted, there are patches and upgrades available here:

http://info.zimbra.com/zimbra-news-new-patch-release-new-training-courses-and-upcoming-events
http://www.zimbra.com/forums/announcements/68390-critical-security-patches-posted-8-0-x-7-2-x.html
http://www.zimbra.com/forums/announcements/67336-critical-security-vulnerability-addressed-7-2-6-8-0-6-maintenance-releases.html

Please let us know if further questions. Sorry for the difficulties on this.

Login to post a comment
Supported By Jabetto