CVE-2022-41352 An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0

Another issue was found that affects amavisd-new in the 9.1.1 version. An attacker can upload arbitrary files through amavisd-new via a gzip loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over gzip. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd-new automatically prefers it over gzip. As a precaution, amavisd-new has been disabled in 9.1.1. Another issue was found that affects amavisd-new in the 9.1.1 version. An attacker can upload arbitrary files through amavisd-new via a gzip loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over gzip. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavisd-new automatically prefers it over gzip. As a precaution

Bug Fixing

One of the other issues fixed in the 9.1.1 patch is a bug that causes amavisd-new to fail to process email messages with a content type of multipart/alternative when using SMTP authentication. This bug prevents users from sending email via Zimbra from an external SMTP server.

amavisd-new versioning scheme amavisd-new is a Perl daemon that implements antivirus scans for SMTP and POP3 messages in Zimbra. It also receives external updates to the virus definitions, which are uploaded to Zimbra using the amavisd-new upload command.

Versioning is done differently in 9.1.1, with the release being numbered; this was not the case in previous versions of amavisd-new where version numbers were simply incremented (i.e., 9.0 -> 9.1).
Changes include:
* The version number of the release is no longer used, instead it's replaced by a "V" followed by a number indicating which patch level is installed; e.g., V9_1_0_60
* The "update" command can only be used to download/install one patch level at a time
* The "update" command now supports multiple patches
* The "version" and "upgrade" commands have been removed; they're provided by amavisd-new upload --version and amavisd-new upgrade respectively

Timeline

Published on: 09/26/2022 02:15:00 UTC
Last modified on: 11/09/2022 20:42:00 UTC

References