Robert Scheck

• Homepage
• Linux
• Internet
• Security
  • Advisories
  • Suchen
• IRC-Chat
• Tools
• FTP
• Kontakt
• Links

CVE-2014-5449: Incorrect default permissions in Zarafa

Am 15. August 2014 habe ich entdeckt, dass die standardmäßigen Verzeichnisberechtigungen von "/var/lib/zarafa-webaccess/tmp/" (Zarafa WebAccess) und "/var/lib/zarafa-webapp/tmp/" (Zarafa WebApp) nicht ausreichend restriktiv genug sind. Damit kann ein lokaler Angreifer lesend auf temporär gespeicherte Session-Daten von Zarafa WebAccess und Zarafa WebApp, wie z.B. von Benutzern hochgeladene Dateianhänge für E-Mails, zugreifen. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

For accessing e-mails, calendars, contacts and tasks of the groupware platform via the web, Zarafa provides the Zarafa WebAccess and the Zarafa WebApp as clients/frontends. The Zarafa WebApp is a fork and the successor of the Zarafa WebAccess. Both web clients/frontends have on server-side temporary directories which contain PHP session data such as by Zarafa users uploaded e-mail attachments. But the default permissions of these temporary directories are world-readable, thus a local attacker could access these files read-only.

CVSS v2 metrics

• Base Score: 2.1
• Base Metrics: AV:L/AC:L/Au:N/C:P/I:N/A:N
• Access Vector: Local
• Access Complexity: Low
• Authentication: None
• Confidentiality Impact: Partial
• Integrity Impact: None
• Availability Impact: None

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However, depending on the gained content of the read-only accessible temporary data, information leaks or further attacks might be possible. The exact path names of the temporary directories changed over the time and releases.

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not.

robert@tux:~ > id
uid=1000(robert) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
robert@tux:~ >

A system with Zarafa WebAccess is affected if the following command can be run as non-privileged system user without any permission error and the temporary directory itself has world readable permissions.

robert@tux:~ > ls -la /var/lib/zarafa-webaccess/tmp/
total 36
drwxr-xr-x. 4 apache apache 4096 Sep 3 10:22 .
drwxr-xr-x. 4 root root 4096 Sep 3 10:22 ..
drwxr-xr-x. 3 apache apache 4096 Sep 8 22:03 attachments
drwxr-xr-x. 2 apache apache 20480 Sep 8 22:10 session
robert@tux:~ >

When using Zarafa WebApp rather Zarafa WebAccess the following command can be used. The system is affected if the temporary directory itself has world readable permissions.

robert@tux:~ > ls -la /var/lib/zarafa-webapp/tmp/
total 16
drwxr-xr-x. 4 apache apache 4096 Sep 3 10:57 .
drwxr-xr-x. 3 root root 4096 Sep 3 10:57 ..
drwxr-xr-x. 2 apache apache 4096 Sep 12 13:40 attachments
drwxr-xr-x. 2 apache apache 4096 Sep 12 13:40 session
robert@tux:~ >

Workaround

Until a fixed version of the Zarafa WebAccess is available (or for a system where a possible future update can not be applied for different reasons) the following commands can be used to correct the wrong permissions.

tux:~ # chown root /var/lib/zarafa-webaccess/tmp/
tux:~ # chmod 770 /var/lib/zarafa-webaccess/tmp/
tux:~ #

When using Zarafa WebApp rather Zarafa WebAccess the following commands can be used to correct the wrong permissions.

tux:~ # chown root /var/lib/zarafa-webapp/tmp/
tux:~ # chmod 770 /var/lib/zarafa-webapp/tmp/
tux:~ #

Both command sections above are however only treated as a workaround because a possible non-fixed intermediate update of Zarafa WebAccess or Zarafa WebApp might revert these manually corrected permissions again.

Affected versions

• Zarafa WebAccess 4.1 Final, released 2006-02-22
• Zarafa WebAccess 4.11 Final, released 2006-03-25
• Zarafa WebAccess 4.20 Final (4211), released 2006-07-24
• Zarafa WebAccess 4.21 Final, released 2006-09-28
• Zarafa WebAccess 4.22 Final (4934), released 2006-10-23

• Zarafa WebAccess 5.00 Final, released 2006-12-18
• Zarafa WebAccess 5.01 Final, released 2007-02-26
• Zarafa WebAccess 5.02 Final (6453), released 2007-04-23
• Zarafa WebAccess 5.10 Final, released 2007-06-25
• Zarafa WebAccess 5.11 Final (7310), released 2007-08-21

• Zarafa WebAccess 5.20 Beta 1 (7332), released 2007-08-30
• Zarafa WebAccess 5.20 Beta 2 (7553), released 2007-09-06
• Zarafa WebAccess 5.20 RC 1 (7838), released 2007-09-21
• Zarafa WebAccess 5.20 Final (8007), released 2007-10-05
• Zarafa WebAccess 5.21 RC 1 (8123), released 2007-10-12
• Zarafa WebAccess 5.21 Final (8123), released 2007-10-29
• Zarafa WebAccess 5.22 Beta 1 (8452), released 2007-11-12
• Zarafa WebAccess 5.22 Beta 2 (8638), released 2007-11-27
• Zarafa WebAccess 5.22 RC 1 (8746), released 2007-12-06
• Zarafa WebAccess 5.22 RC 2 (8825), released 2007-12-12
• Zarafa WebAccess 5.22 Final (8825), released 2007-12-19
• Zarafa WebAccess 5.23 Beta 1 (9659), released 2008-02-19
• Zarafa WebAccess 5.23 RC 1 (9742), released 2008-02-29
• Zarafa WebAccess 5.23 Final (9742), released 2008-03-14
• Zarafa WebAccess 5.24 Beta 1 (10056), released 2008-04-10
• Zarafa WebAccess 5.24 RC 1 (10297), released 2008-05-20
• Zarafa WebAccess 5.24 Final (10384), released 2008-05-28
• Zarafa WebAccess 5.25 RC 1 (10783), released 2008-07-15
• Zarafa WebAccess 5.25 RC 2 (11089), released 2008-08-13
• Zarafa WebAccess 5.25 Final, released 2008-09-08
• Zarafa WebAccess 5.26 RC 1 (11917), released 2008-10-06
• Zarafa WebAccess 5.26 Final (12031), released 2008-10-20

• Zarafa WebAccess 6.00 TP (8740), released 2007-12-05
• Zarafa WebAccess 6.00 Beta 1 (8861), released 2007-12-12
• Zarafa WebAccess 6.00 Beta 2 (8958), released 2007-12-19
• Zarafa WebAccess 6.00 Beta 3 (9192), released 2008-01-07
• Zarafa WebAccess 6.00 Beta 4 (9351), released 2008-01-17
• Zarafa WebAccess 6.00 Beta 5 (9429), released 2008-01-23
• Zarafa WebAccess 6.00 Beta 6 (9507), released 2008-01-31
• Zarafa WebAccess 6.00 RC 1 (9537), released 2008-02-06
• Zarafa WebAccess 6.00 RC 2 (9668), released 2008-02-20
• Zarafa WebAccess 6.00 RC 3 (9699), released 2008-02-21
• Zarafa WebAccess 6.00 RC 4 (9754), released 2008-02-28
• Zarafa WebAccess 6.00 Final (9772), released 2008-03-01
• Zarafa WebAccess 6.01 Final (9831), released 2008-03-17
• Zarafa WebAccess 6.02 Beta 1 (9915), released 2008-03-27
• Zarafa WebAccess 6.02 RC 1 (9978), released 2008-04-03
• Zarafa WebAccess 6.02 RC 2 (10119), released 2008-04-16
• Zarafa WebAccess 6.02 RC 3 (10171), released 2008-04-23
• Zarafa WebAccess 6.02 Final (10238), released 2008-05-07
• Zarafa WebAccess 6.03 Beta 1 (10306), released 2008-05-15
• Zarafa WebAccess 6.03 Beta 2 (10599), released 2008-06-20
• Zarafa WebAccess 6.03 RC 1 (10708), released 2008-07-07
• Zarafa WebAccess 6.03 RC 2 (10767), released 2008-07-11
• Zarafa WebAccess 6.03 Final (10850), released 2008-07-18
• Zarafa WebAccess 6.04 Beta 1 (11084), released 2008-08-07
• Zarafa WebAccess 6.04 RC 1 (11343)
• Zarafa WebAccess 6.04 RC 2 (11489), released 2008-09-04
• Zarafa WebAccess 6.04 Final (11575), released 2008-09-11
• Zarafa WebAccess 6.05 Beta 1 (11869), released 2008-09-25
• Zarafa WebAccess 6.05 RC 1 (12080), released 2008-10-09
• Zarafa WebAccess 6.05 RC 2 (12224), released 2008-10-23
• Zarafa WebAccess 6.05 Final (12338), released 2008-11-06

• Zarafa WebAccess 6.10 Beta 1
• Zarafa WebAccess 6.10 Beta 2 (9840), released 2008-03-20
• Zarafa WebAccess 6.10 Beta 3 (9997), released 2008-04-03
• Zarafa WebAccess 6.10 Beta 4 (10217), released 2008-04-29
• Zarafa WebAccess 6.10 RC 1 (10228), released 2008-05-07
• Zarafa WebAccess 6.10 RC 2 (10305), released 2008-05-23
• Zarafa WebAccess 6.10 RC 3 (10535), released 2008-06-17
• Zarafa WebAccess 6.10 Final, released 2008-07-08
• Zarafa WebAccess 6.11 Beta 1
• Zarafa WebAccess 6.11 Beta 2 (10897), released 2008-07-29
• Zarafa WebAccess 6.11 RC 1 (11344), released 2008-08-22
• Zarafa WebAccess 6.11 RC 2 (11490), released 2008-09-02
• Zarafa WebAccess 6.11 Final (11612), released 2008-09-10
• Zarafa WebAccess 6.12 Beta 1 (11955), released 2008-10-01
• Zarafa WebAccess 6.12 RC 1 (12225), released 2008-11-21
• Zarafa WebAccess 6.12 RC 2 (13060), released 2009-01-15
• Zarafa WebAccess 6.12 Final (13060), released 2009-01-23

• Zarafa WebAccess 6.20 Beta 1 (11098), released 2008-08-06
• Zarafa WebAccess 6.20 Beta 2 (11647), released 2008-09-12
• Zarafa WebAccess 6.20 Beta 3 (11749), released 2008-09-18
• Zarafa WebAccess 6.20 Beta 4 (11804), released 2008-09-23
• Zarafa WebAccess 6.20 Beta 5 (12487), released 2008-11-14
• Zarafa WebAccess 6.20 Beta 6 (12710), released 2008-12-04
• Zarafa WebAccess 6.20 RC 1 (12850), released 2008-12-16
• Zarafa WebAccess 6.20 RC 2 (12993), released 2008-12-30
• Zarafa WebAccess 6.20 RC 3 (13153), released 2009-01-12
• Zarafa WebAccess 6.20 Final (13194), released 2009-01-16
• Zarafa WebAccess 6.20.1 Unstable (13370), released 2009-01-24
• Zarafa WebAccess 6.20.1 Final (13464), released 2009-02-03
• Zarafa WebAccess 6.20.2 Beta (13556), released 2009-02-04
• Zarafa WebAccess 6.20.2 Final (13651), released 2009-02-25
• Zarafa WebAccess 6.20.3 Beta 1 (13831), released 2009-02-28
• Zarafa WebAccess 6.20.3 Beta 2 (13865), released 2009-03-04
• Zarafa WebAccess 6.20.3 Final (13865), released 2009-03-19
• Zarafa WebAccess 6.20.4 Beta (14050), released 2009-03-22
• Zarafa WebAccess 6.20.4 Final (14107), released 2009-04-03
• Zarafa WebAccess 6.20.5 Beta 1 (14316), released 2009-04-08
• Zarafa WebAccess 6.20.5 Beta 2 (14478), released 2009-04-23
• Zarafa WebAccess 6.20.5 Final (14478), released 2009-04-28
• Zarafa WebAccess 6.20.6 Beta 1 (14659), released 2009-05-05
• Zarafa WebAccess 6.20.6 Beta 2 (14742), released 2009-05-12
• Zarafa WebAccess 6.20.6 Beta 3 (14790), released 2009-05-18
• Zarafa WebAccess 6.20.6 Final, released 2009-05-27
• Zarafa WebAccess 6.20.7 Beta (15038), released 2009-06-09
• Zarafa WebAccess 6.20.7 Final, released 2009-06-24
• Zarafa WebAccess 6.20.8 Beta 1 (15498), released 2009-07-06
• Zarafa WebAccess 6.20.8 Beta 2 (15555), released 2009-07-10
• Zarafa WebAccess 6.20.8 Final (15686), released 2009-07-24
• Zarafa WebAccess 6.20.9 Beta (16075), released 2009-08-05
• Zarafa WebAccess 6.20.9 Final (16156)
• Zarafa WebAccess 6.20.10 Beta 1 (16543), released 2009-09-01
• Zarafa WebAccess 6.20.10 Beta 2 (16601), released 2009-09-07
• Zarafa WebAccess 6.20.10 Final (16734), released 2009-09-24
• Zarafa WebAccess 6.20.11 Beta (17080), released 2009-10-06
• Zarafa WebAccess 6.20.11 Final (17604), released 2009-11-12
• Zarafa WebAccess 6.20.12 Final (18389), released 2010-01-14
• Zarafa WebAccess 6.20.13 Beta 1, released 2010-03-03
• Zarafa WebAccess 6.20.13 Final (19023), released 2010-04-01

• Zarafa WebAccess 6.30.0 Beta 1 (13713), released 2009-02-24
• Zarafa WebAccess 6.30.0 Beta 2 (13995), released 2009-03-20
• Zarafa WebAccess 6.30.0 Beta 3 (14291), released 2009-04-07
• Zarafa WebAccess 6.30.0 RC 1a (14510), released 2009-04-25
• Zarafa WebAccess 6.30.0 RC 1b (14609), released 2009-04-29
• Zarafa WebAccess 6.30.0 RC 1c (14675), released 2009-05-07
• Zarafa WebAccess 6.30.0 RC 1d (14757), released 2009-05-13
• Zarafa WebAccess 6.30.0 RC 1e (14802), released 2009-05-18
• Zarafa WebAccess 6.30.0 RC 1 (14802), released 2009-05-20
• Zarafa WebAccess 6.30.0 RC 2 (15089), released 2009-06-13
• Zarafa WebAccess 6.30.0 RC 3a (15217), released 2009-06-18
• Zarafa WebAccess 6.30.0 RC 3b
• Zarafa WebAccess 6.30.0 RC 3c (15472), released 2009-07-03
• Zarafa WebAccess 6.30.0 RC 3 (15545), released 2009-07-08
• Zarafa WebAccess 6.30.0 Final (15765), released 2009-07-23
• Zarafa WebAccess 6.30.1 Beta (16054), released 2009-07-30
• Zarafa WebAccess 6.30.1 Final (16192), released 2009-08-20
• Zarafa WebAccess 6.30.2 Beta 1 (16415), released 2009-08-26
• Zarafa WebAccess 6.30.2 Beta 2 (16493), released 2009-08-28
• Zarafa WebAccess 6.30.2 Beta 3 (16545), released 2009-09-01
• Zarafa WebAccess 6.30.2 Final (16545), released 2009-09-11
• Zarafa WebAccess 6.30.3 Pre-Beta (16905), released 2009-09-24
• Zarafa WebAccess 6.30.3 Beta (16954), released 2009-09-28
• Zarafa WebAccess 6.30.3 Final (17192), released 2009-10-15
• Zarafa WebAccess 6.30.4 Final (17264), released 2009-10-28
• Zarafa WebAccess 6.30.5 Beta (17418), released 2009-10-27
• Zarafa WebAccess 6.30.5 Final (17658), released 2009-11-18
• Zarafa WebAccess 6.30.6 Beta 1, released 2009-12-04
• Zarafa WebAccess 6.30.6 Final (18063), released 2009-12-16
• Zarafa WebAccess 6.30.7 Beta 1, released 2009-12-24
• Zarafa WebAccess 6.30.7 Final (18277), released 2010-01-06
• Zarafa WebAccess 6.30.8 Final (18345), released 2010-01-12
• Zarafa WebAccess 6.30.9 Final (18385), released 2010-01-14
• Zarafa WebAccess 6.30.10 Beta 1 (18396), released 2010-01-15
• Zarafa WebAccess 6.30.10 Beta 2, released 2010-01-27
• Zarafa WebAccess 6.30.10 Final (18495), released 2010-02-02
• Zarafa WebAccess 6.30.11 Beta 1 (18797), released 2010-02-15
• Zarafa WebAccess 6.30.11 Beta 2, released 2010-02-24
• Zarafa WebAccess 6.30.11 Final (18984), released 2010-03-02
• Zarafa WebAccess 6.30.12 Final (19435), released 2010-03-19
• Zarafa WebAccess 6.30.13 Beta 1, released 2010-04-01
• Zarafa WebAccess 6.30.13 Beta 2, released 2010-04-15
• Zarafa WebAccess 6.30.13 Final (19788), released 2010-04-21
• Zarafa WebAccess 6.30.14 Final (20002), released 2010-04-28
• Zarafa WebAccess 6.30.15 Beta 1 (20234), released 2010-05-14
• Zarafa WebAccess 6.30.15 Beta 2 (21170), released 2010-06-28
• Zarafa WebAccess 6.30.15 Final (21229), released 2010-07-20
• Zarafa WebAccess 6.30.16 Beta 1 (21699), released 2010-07-29
• Zarafa WebAccess 6.30.16 Beta 2 (21846), released 2010-08-05
• Zarafa WebAccess 6.30.16 Final (21846), released 2010-08-31
• Zarafa WebAccess 6.30.17 Beta 1 (23117), released 2010-10-01
• Zarafa WebAccess 6.30.17 Beta 2 (23285), released 2010-10-15
• Zarafa WebAccess 6.30.17 Final (23285), released 2010-10-29
• Zarafa WebAccess 6.30.18 Beta 1 (23963), released 2010-12-03
• Zarafa WebAccess 6.30.18 Beta 2 (24292), released 2010-12-17
• Zarafa WebAccess 6.30.18 Final (24292), released 2010-12-20
• Zarafa WebAccess 6.30.19 Beta 1 (24945), released 2011-01-28
• Zarafa WebAccess 6.30.19 Final (25148), released 2011-02-10

• Zarafa WebAccess 6.40.0 Alpha 1 (16056), released 2009-08-03
• Zarafa WebAccess 6.40.0 Alpha 2 (16731), released 2009-09-14
• Zarafa WebAccess 6.40.0 Alpha 3 (16832), released 2009-09-18
• Zarafa WebAccess 6.40.0 Beta 1 (16858), released 2009-09-21
• Zarafa WebAccess 6.40.0 Pre-Beta 2 (17469), released 2009-10-29
• Zarafa WebAccess 6.40.0 Beta 2 (17498), released 2009-10-30
• Zarafa WebAccess 6.40.0 Beta 3, released 2009-12-11
• Zarafa WebAccess 6.40.0 RC 1 (18537), released 2010-01-26
• Zarafa WebAccess 6.40.0 RC 2 (18871), released 2010-02-16
• Zarafa WebAccess 6.40.0 RC 3 (19159), released 2010-03-08
• Zarafa WebAccess 6.40.0 RC 4 (19574), released 2010-04-01
• Zarafa WebAccess 6.40.0 RC 5 (19792), released 2010-04-16
• Zarafa WebAccess 6.40.0 RC 6 (19899), released 2010-04-26
• Zarafa WebAccess 6.40.0 RC 7 (20343), released 2010-05-14
• Zarafa WebAccess 6.40.0 RC 8 (20419), released 2010-05-21
• Zarafa WebAccess 6.40.0 RC 9 (20653), released 2010-06-02
• Zarafa WebAccess 6.40.0 Final (20653), released 2010-06-09
• Zarafa WebAccess 6.40.1 Beta 1 (21473), released 2010-07-20
• Zarafa WebAccess 6.40.1 Beta 2 (21742), released 2010-07-30
• Zarafa WebAccess 6.40.1 Final (21780), released 2010-08-05
• Zarafa WebAccess 6.40.2 Beta 1 (22288), released 2010-08-20
• Zarafa WebAccess 6.40.2 Beta 2 (22361), released 2010-08-25
• Zarafa WebAccess 6.40.2 Final (22452), released 2010-08-31
• Zarafa WebAccess 6.40.3 Beta 1 (22703), released 2010-09-10
• Zarafa WebAccess 6.40.3 Beta 2 (23043), released 2010-09-29
• Zarafa WebAccess 6.40.3 Beta 3 (23181), released 2010-10-07
• Zarafa WebAccess 6.40.3 Beta 4 (23410), released 2010-10-22
• Zarafa WebAccess 6.40.3 Final (23410), released 2010-10-27
• Zarafa WebAccess 6.40.4 Beta 1 (23477), released 2010-11-11
• Zarafa WebAccess 6.40.4 Beta 2 (23895), released 2010-11-19
• Zarafa WebAccess 6.40.4 Beta 3 (24031), released 2010-11-26
• Zarafa WebAccess 6.40.4 Beta 4 (24179), released 2010-12-07
• Zarafa WebAccess 6.40.4 Final (24200), released 2010-12-03
• Zarafa WebAccess 6.40.4 Final (24121), released 2010-12-10
• Zarafa WebAccess 6.40.5 Beta 1 (24479), released 2010-12-28
• Zarafa WebAccess 6.40.5 Beta 2 (24764), released 2011-01-14
• Zarafa WebAccess 6.40.5 Final (24860), released 2011-01-25
• Zarafa WebAccess 6.40.6 Beta 1, released 2011-02-08
• Zarafa WebAccess 6.40.6 Beta 2, released 2011-02-28
• Zarafa WebAccess 6.40.6 Final (25584), released 2011-03-10
• Zarafa WebAccess 6.40.7 Beta 1, released 2011-03-23
• Zarafa WebAccess 6.40.7 Final (26119), released 2011-03-29
• Zarafa WebAccess 6.40.8 Beta 1, released 2011-05-06
• Zarafa WebAccess 6.40.8 Final (27223), released 2011-05-20
• Zarafa WebAccess 6.40.9 Beta 1 (27453), released 2011-06-06
• Zarafa WebAccess 6.40.9 Final (27553), released 2011-06-08
• Zarafa WebAccess 6.40.10 Beta 1, released 2011-07-11
• Zarafa WebAccess 6.40.10 Final (28214), released 2011-07-21
• Zarafa WebAccess 6.40.11 Beta 1 (28776), released 2011-08-19
• Zarafa WebAccess 6.40.11 Final (289659, released 2011-08-31
• Zarafa WebAccess 6.40.12 Beta 1 (29729), released 2011-10-10
• Zarafa WebAccess 6.40.12 Final (29942), released 2011-10-20
• Zarafa WebAccess 6.40.13 Beta 1 (30596), released 2011-11-21
• Zarafa WebAccess 6.40.13 Beta 2 (30778), released 2011-12-01
• Zarafa WebAccess 6.40.13 Final (30778), released 2011-12-08
• Zarafa WebAccess 6.40.14 Beta 1 (31462), released 2012-01-06
• Zarafa WebAccess 6.40.14 Final (31537), released 2012-01-19
• Zarafa WebAccess 6.40.15 Beta 1 (33246), released 2012-03-29
• Zarafa WebAccess 6.40.15 Final (33766), released 2012-04-12
• Zarafa WebAccess 6.40.16 Final (34239), released 2012-05-04
• Zarafa WebAccess 6.40.17 Beta 1 (35609), released 2012-07-05
• Zarafa WebAccess 6.40.17 Final (35943), released 2012-07-19

• Zarafa WebAccess 7.0.0 TP (23713), released 2010-11-05
• Zarafa WebAccess 7.0.0 Alpha 1 (23713), released 2010-11-05
• Zarafa WebAccess 7.0.0 Beta 1 (24488), released 2010-12-30
• Zarafa WebAccess 7.0.0 Beta 2 (24874), released 2011-01-21
• Zarafa WebAccess 7.0.0 Beta 3 (25734), released 2011-03-08
• Zarafa WebAccess 7.0.0 RC 1 (26667), released 2011-04-21
• Zarafa WebAccess 7.0.0 RC 2 (27588), released 2011-06-10
• Zarafa WebAccess 7.0.0 Final (27791), released 2011-06-27
• Zarafa WebAccess 7.0.1 Beta 1 (28354), released 2011-07-26
• Zarafa WebAccess 7.0.1 Beta 2 (28479), released 2011-08-04
• Zarafa WebAccess 7.0.1 Final (28479), released 2011-08-12
• Zarafa WebAccess 7.0.2 Beta 1 (29238), released 2011-09-15
• Zarafa WebAccess 7.0.2 Final (29470), released 2011-09-29
• Zarafa WebAccess 7.0.3 Beta 1 (30283), released 2011-11-03
• Zarafa WebAccess 7.0.3 Beta 2 (30383), released 2011-11-11
• Zarafa WebAccess 7.0.3 Final (30515), released 2011-11-17
• Zarafa WebAccess 7.0.4 Beta 1 (31042), released 2011-12-09
• Zarafa WebAccess 7.0.4 Beta 2 (31131), released 2011-12-15
• Zarafa WebAccess 7.0.4 Final (31235), released 2011-12-22
• Zarafa WebAccess 7.0.5 Beta 1 (31699), released 2012-01-20
• Zarafa WebAccess 7.0.5 Final (31880), released 2012-02-02
• Zarafa WebAccess 7.0.6 Beta 1 (32585), released 2012-03-02
• Zarafa WebAccess 7.0.6 Final (32752), released 2012-03-15
• Zarafa WebAccess 7.0.7 Beta 1 (33784), released 2012-04-13
• Zarafa WebAccess 7.0.7 Beta 2 (34052), released 2012-04-26
• Zarafa WebAccess 7.0.7 Final (34256), released 2012-05-04
• Zarafa WebAccess 7.0.8 Beta 1 (35040), released 2012-06-08
• Zarafa WebAccess 7.0.8 Final (35178), released 2012-06-19
• Zarafa WebAccess 7.0.9 Beta 1 (36013), released 2012-07-19
• Zarafa WebAccess 7.0.9 Beta 2 (36190), released 2012-07-26
• Zarafa WebAccess 7.0.9 Beta 3 (36358), released 2012-08-03
• Zarafa WebAccess 7.0.9 Final (36358), released 2012-08-10
• Zarafa WebAccess 7.0.10 Beta 1 (37262), released 2012-09-20
• Zarafa WebAccess 7.0.10 Final (37482), released 2012-10-04
• Zarafa WebAccess 7.0.11 Beta 1 (38406), released 2012-11-16
• Zarafa WebAccess 7.0.11 Beta 2 (38914), released 2012-11-30
• Zarafa WebAccess 7.0.11 Final (39120), released 2012-12-08
• Zarafa WebAccess 7.0.12 Beta 1 (39988), released 2013-01-10
• Zarafa WebAccess 7.0.12 Final (40336), released 2013-01-24
• Zarafa WebAccess 7.0.13 Final (41388), released 2013-03-01
• Zarafa WebAccess 7.0.14 Beta 1 (41924), released 2013-05-23
• Zarafa WebAccess 7.0.14 Final (42060), released 2013-07-01
• Zarafa WebAccess 7.0.15 Beta 1 (42582), released 2013-09-03
• Zarafa WebAccess 7.0.15 Beta 2 (42658), released 2013-09-13
• Zarafa WebAccess 7.0.15 Final (42709), released 2013-09-20

• Zarafa WebAccess 7.1.0 Beta 1 (33926), released 2012-04-19
• Zarafa WebAccess 7.1.0 Beta 2 (34517), released 2012-05-11
• Zarafa WebAccess 7.1.0 Beta 3 (34833), released 2012-06-01
• Zarafa WebAccess 7.1.0 RC 1 (35476), released 2012-06-29
• Zarafa WebAccess 7.1.0 RC 2 (36025), released 2012-07-19
• Zarafa WebAccess 7.1.0 RC 3 (36420), released 2012-08-09
• Zarafa WebAccess 7.1.0 Final (36420), released 2012-08-23
• Zarafa WebAccess 7.1.1 Beta 1 (37267), released 2012-09-20
• Zarafa WebAccess 7.1.1 Beta 2 (37519), released 2012-10-04
• Zarafa WebAccess 7.1.1 Final (37812), released 2012-10-19
• Zarafa WebAccess 7.1.2 Beta 1 (38366), released 2012-11-15
• Zarafa WebAccess 7.1.2 Beta 2 (38915), released 2012-11-30
• Zarafa WebAccess 7.1.2 Final (39121), released 2012-12-08
• Zarafa WebAccess 7.1.3 Beta 1 (39980), released 2013-01-10
• Zarafa WebAccess 7.1.3 Final (40304), released 2013-01-24
• Zarafa WebAccess 7.1.4 Final (41394), released 2013-03-01
• Zarafa WebAccess 7.1.5 Beta 1 (41923), released 2013-05-23
• Zarafa WebAccess 7.1.5 Final (42059), released 2013-07-01
• Zarafa WebAccess 7.1.6 Beta 1 (42574), released 2013-09-03
• Zarafa WebAccess 7.1.6 Beta 2 (42668), released 2013-09-13
• Zarafa WebAccess 7.1.6 Final (42710), released 2013-09-20
• Zarafa WebAccess 7.1.7 Final (42779), released 2013-10-03
• Zarafa WebAccess 7.1.8 Beta 1 (42841), released 2013-10-10
• Zarafa WebAccess 7.1.8 Beta 2 (43059), released 2013-11-08
• Zarafa WebAccess 7.1.8 Beta 3 (43454), released 2013-12-20
• Zarafa WebAccess 7.1.8 RC 1 (43691), released 2014-01-23
• Zarafa WebAccess 7.1.8 Final (43801), released 2014-01-30
• Zarafa WebAccess 7.1.8 Final R1 (44004), released 2014-02-20
• Zarafa WebAccess 7.1.9 Beta 1 (44152), released 2014-03-12
• Zarafa WebAccess 7.1.9 RC 1 (44268), released 2014-03-24
• Zarafa WebAccess 7.1.9 Final (44333), released 2014-03-31
• Zarafa WebAccess 7.1.10 Beta 1 (44846), released 2014-05-12
• Zarafa WebAccess 7.1.10 RC 1 (44973), released 2014-05-26
• Zarafa WebAccess 7.1.10 Final (44973), released 2014-06-03
• Zarafa WebAccess 7.1.11 Beta 1 (45653), released 2014-08-07
• Zarafa WebAccess 7.1.11 Final (45875), released 2014-08-26
• Zarafa WebAccess 7.1.11 Final R1 (46050), released 2014-09-05
• Zarafa WebAccess 7.1.12 Beta 1 (47484), released 2015-01-16
• Zarafa WebAccess 7.1.12 Beta 2 (48455), released 2015-03-20
• Zarafa WebAccess 7.1.12 Final (48726), released 2015-04-07
• Zarafa WebAccess 7.1.12 Final R1 (49411), released 2015-05-08

• Zarafa WebApp 1.0 TP (27895), released 2011-06-28
• Zarafa WebApp 1.0 TP, released 2011-07-28
• Zarafa WebApp 1.0 TP, released 2011-09-06
• Zarafa WebApp 1.0 TP, released 2011-12-20
• Zarafa WebApp 1.0 Final (33778), released 2012-04-12
• Zarafa WebApp 1.1 Final (35292), released 2012-06-20
• Zarafa WebApp 1.2 TP (36382), released 2012-08-07
• Zarafa WebApp 1.2 Final (37787), released 2012-10-26
• Zarafa WebApp 1.2.1 Final (37967), released 2012-10-26
• Zarafa WebApp 1.2.2 Final (39122), released 2012-12-07
• Zarafa WebApp 1.3 Final (41013), released 2013-02-12
• Zarafa WebApp 1.3.1 Final (41348), released 2013-02-22
• Zarafa WebApp 1.3.2 Final (42118), released 2013-09-19
• Zarafa WebApp 1.4 Alpha (42030), released 2013-06-20
• Zarafa WebApp 1.4 Beta (42591), released 2013-09-06
• Zarafa WebApp 1.4 Final (42633), released 2013-10-03
• Zarafa WebApp 1.5 Beta (43468), released 2013-12-20
• Zarafa WebApp 1.5 Final (43477), released 2014-01-22
• Zarafa WebApp 1.6 Beta 1 (45198), released 2014-06-17
• Zarafa WebApp 1.6 Beta 2 (45312), released 2014-07-01
• Zarafa WebApp 1.6 Final (45357), released 2014-07-21
• Zarafa WebApp 1.6.1 Final (46039), released 2014-09-02

• Zarafa WebApp 2.0 Beta 1 (46301)
• Zarafa WebApp 2.0 Beta 2 (46339), released 2014-09-30
• Zarafa WebApp 2.0 Beta 3 (46848), released 2014-11-20
• Zarafa WebApp 2.0 Beta (47004), released 2014-12-05
• Zarafa WebApp 2.0 Beta (47017), released 2014-12-08
• Zarafa WebApp 2.0 RC 1 (47260), released 2014-12-24
• Zarafa WebApp 2.0 Final (47678), released 2015-01-27
• Zarafa WebApp 2.0.1 Final (47791), released 2015-02-06
• Zarafa WebApp 2.0.2 Final (47834), released 2015-02-09

Fixed versions

• Zarafa WebAccess 7.2.0 Beta 1 (46984), released 2014-12-05
• Zarafa WebAccess 7.2.0 Beta 1 (47004), released 2014-12-05
• Zarafa WebAccess 7.2.0 Beta 2 (47829), released 2015-02-09
• Zarafa WebAccess 7.2.0 Final (48204), released 2015-03-05

• Zarafa WebApp 2.0 Final (47486), released 2015-01-15
• Zarafa WebApp 2.0.2 Final (48619), released 2015-04-02

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-5449 was assigned on August 25, 2014. Currently, the following other identifications are known for this issue:

• MITRE CVE-2014-5449
• RSC-SA-2014-0006
• Red Hat RHBZ #1133439
• OSS-SEC 2014/Q3/444
• SecurityFocus BID-69369
• ISS X-Force 95453
• DFN-CERT-2014-1118

Disclosure timeline

• 2014-08-15: Initial vulnerability discovery
• 2014-08-24: Coordinated public disclosure
• 2014-08-25: Initial vendor notification, response and acknowledgement
• 2014-08-25: MITRE CVE assignment team assignes CVE name
• 2014-12-05: Vendor provides a fixed public beta/pre-release
• 2015-03-05: Vendor releases a fixed public final version

Credit

This vulnerability was discovered, analyzed and reported by Robert Scheck.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.