Patch for Zimbra 8.8.15 Zero-day Exploit

Posted by

Zimbra has released a hotfix for the Zimbra zero-day exploit. If you are using Zimbra 8.8.15 on Ubuntu 16.04 and latest or CentOS7/RHEL7 and latest, You can patch by doing apt update or yum update command.

Unfortunately, the new patch is not available for Zimbra 8.8.15 on Ubuntu 14 or CentOS 6. The latest version for Ubuntu 14 or Centos 6 is patch 28. Fortunately, you can perform manual patch using script that created by JDunphy here.

Here is how I use that script for manual patching

# Update Patch

Please make sure you already patch to the latest version (Patch 28)

Ubuntu

apt update -y && apt upgrade -y

CentOS

yum update -y && yum upgrade -y

# Backup File

mkdir -p /srv/ai/Patch30
cp /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag /srv/ai/Patch30/
cp /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag /srv/ai/Patch30/

# Download Patch Script

curl -k https://raw.githubusercontent.com/imanudin11/script/master/xss-zeroDay.sh > /srv/ai/Patch30/xss-zeroDay.sh
chmod +x /srv/ai/Patch30/xss-zeroDay.sh
/srv/ai/Patch30/xss-zeroDay.sh

# Compare file (before and after manual patch)

diff /srv/ai/Patch30/multiDay.tag  /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag

Congratulation, your Zimbra has been patched

Good luck 🙂

8 comments

  1. after executing the update some zimbra services do not work for me. The services it does not start are amavis, antispam and antivirus. Could you help me?

    Thanks!

    1. Hi Albert,
      For Ubuntu 16 and latest, just run command apt update -y && apt upgrade -y. This article for Ubuntu 14 or CentOS 6 that does not have patch again

  2. Hi, is it possible to install latest patch rpm’s for Centos6 locally (yum localinstall xxx-patch31.rpm)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.