Hackers are Actively Exploiting Zero-day Flaw in Zimbra Server

Zimbra is a widely used email client used by many organizations worldwide. The Zimbra Collaboration Suite provides a much more comprehensive package of document storage, Editing, instant messaging, mini calendar, and other ease of access administrative controls.

Recent reports indicate that Zimbra Collaboration Suite 8.8.15 had a vulnerability that exists in the mom veto file on the web server relating to XML interpretation by the web server. 

Update on Line number 40

The mom veto file is located in the /opt/zimbra/jetty/webapps/zimbra/m/ folder in which line number 40 was vulnerable since it had a code that does not interpret XML code.

Line number 40: <input name="st" type="hidden" value="${param.st}

The above line does not interpret XML code. 

In order to fix this, Zimbra has recommended their users update the code to the below code.

<input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/>

This line interprets XML code and makes the XML characters escape. 

Before updating the above code, it is recommended for users to back up the file. Once after updating the code, Zimbra does not require a restart for this update.

This update must be made on all the mailbox nodes to have the highest level of security on Zimbra servers.

Update in July Patch

The fix for this vulnerability is planned to be released along with the July patch, as mentioned by Zimbra Team.

Users of Zimbra are recommended to take appropriate actions to prevent servers from being exploited by threat actors.

Zimbra, owned by Synacor, is the leading open-source message and collaboration tool used by more than 5000 companies with millions of users worldwide.

The company has a revenue of $5.2 million as of 2022, with more than 500 employees all over the world.