Another issue was found that affects amavisd-new in the 9.1.1 version. An attacker can upload arbitrary files through amavisd-new via a gzip loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over gzip. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd-new automatically prefers it over gzip. As a precaution, amavisd-new has been disabled in 9.1.1. Another issue was found that affects amavisd-new in the 9.1.1 version. An attacker can upload arbitrary files through amavisd-new via a gzip loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over gzip. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd-new automatically prefers it over gzip. As a precaution
Bug Fixing
One of the other issues fixed in the 9.1.1 patch is a bug that causes amavisd-new to fail to process email messages with a content type of multipart/alternative when using SMTP authentication. This bug prevents users from sending email via Zimbra from an external SMTP server.
amavisd-new versioning scheme amavisd-new is a Perl daemon that implements antivirus scans for SMTP and POP3 messages in Zimbra. It also receives external updates to the virus definitions, which are uploaded to Zimbra using the amavisd-new upload command.
Versioning is done differently in 9.1.1, with the release being numbered; this was not the case in previous versions of amavisd-new where version numbers were simply incremented (i.e., 9.0 -> 9.1).
Changes include:
* The version number of the release is no longer used, instead it's replaced by a "V" followed by a number indicating which patch level is installed; e.g., V9_1_0_60
* The "update" command can only be used to download/install one patch level at a time
* The "update" command now supports multiple patches
* The "version" and "upgrade" commands have been removed; they're provided by amavisd-new upload --version and amavisd-new upgrade respectively
Timeline
Published on: 09/26/2022 02:15:00 UTC
Last modified on: 11/09/2022 20:42:00 UTC
References
- https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
- https://wiki.zimbra.com/wiki/Security_Center
- https://forums.zimbra.org/viewtopic.php?t=71153&p=306532
- http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41352