CVE-2022-37042 ZCS has mboximport to extract files from a ZIP archive.

In addition to the above mentioned fixed version, you should also be on 9.0-RC3, which has a fix for this vulnerability. Unfortunately due to the critical nature of this issue and the fact that it affects all Zimbra versions, we are recommending that everybody upgrade to ZCS 9.0 as soon as possible. If you cannot upgrade your system yet, you should consider disabling mboximport functionality in your environment. If you are using custom fields, you should consider reviewing all of your data for unexpected data.

Mitigation Strategies

ZCS 9.0 is the first release with this vulnerability fixed. If your organization is not yet on ZCS 9.0, you should consider upgrading as soon as possible.
If you cannot upgrade your system yet, you should consider disabling mboximport functionality in your environment. If you are using custom fields, you should consider reviewing all of your data for unexpected data.

ZCS 9.0 Release Notes

ZCS 9.0 release notes provide a list of all the major changes made in ZCS 9.0, including those that impact security. It is important to note that ZCS 9.0 has a fix for the CVE-2022-37042 vulnerability mentioned in this article and the fixes for other vulnerabilities noted in the release notes.
It is highly recommended that you upgrade to ZCS 9.0 as soon as possible.

Mitigation

To mitigate this issue, we recommend that you upgrade to ZCS 9.0 as soon as your environment is ready to be upgraded. To disable mboximport functionality, please follow the guidance listed on the following article:
https://wiki.zimbra.com/index.php?title=Unsupported_Features_in_ZCS9
If you are using custom fields, please review all of your data for unexpected data and make a backup before continuing with the upgrade.

ZCS Installation on Red Hat Enterprise Linux

If you are running ZCS on a Red Hat Enterprise Linux (RHEL) system, we strongly recommend that you upgrade to the latest version of ZCS. You can do this by running the following command:
yum update zimbra-cs
In addition to installing the latest version of ZCS, we also recommend configuring your firewall and monitoring your system for any signs of intrusion.

Timeline

Published on: 08/12/2022 15:15:00 UTC
Last modified on: 08/24/2022 15:15:00 UTC

References

• https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
• https://wiki.zimbra.com/wiki/Security_Center
• http://packetstormsecurity.com/files/168146/Zimbra-Zip-Path-Traversal.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-37042