Hi,
this https://nvd.nist.gov/vuln/detail/CVE-2025-24813 CVE smells like it affects Zimbra, and importantly, across many generations of installations.
Could anyone comment on what they think the impact is?
NIST writes:
'Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.'
I can see that there was this fix to Zimbra's setup in 10.1.6 which is a most basic and long missing improvement, and should(!) be a small mitigation: 'Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks.' I'm grateful that these things are now being improved (like auditd policies, too), all of which will make it more secure _and_ improve troubleshooting.
As they speak about a default servlet, there's a chance that it doesn't exist in Zimbra's deployment/tomcat, thus i'm asking.
Back in my web ops days we would absolutely make sure no default applications or default databases etc. existed on systems, but I frankly don't know enough to tell what's happening in Zimbra.
this https://nvd.nist.gov/vuln/detail/CVE-2025-24813 CVE smells like it affects Zimbra, and importantly, across many generations of installations.
Could anyone comment on what they think the impact is?
NIST writes:
'Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.'
I can see that there was this fix to Zimbra's setup in 10.1.6 which is a most basic and long missing improvement, and should(!) be a small mitigation: 'Write access to /opt/zimbra/jetty/webapps has been restricted to enhance security and mitigate potential risks.' I'm grateful that these things are now being improved (like auditd policies, too), all of which will make it more secure _and_ improve troubleshooting.
As they speak about a default servlet, there's a chance that it doesn't exist in Zimbra's deployment/tomcat, thus i'm asking.
Back in my web ops days we would absolutely make sure no default applications or default databases etc. existed on systems, but I frankly don't know enough to tell what's happening in Zimbra.
Statistics: Posted by darkfader — Thu Mar 13, 2025 6:35 pm
