Robert Scheck | Security | RSC-SA-2014-0011: SSLv3 limit in Zarafa Outlook Client

RSC-SA-2014-0011: SSLv3 limit in Zarafa Outlook Client

Am 2. April 2014 habe ich entdeckt, dass der proprietäre Zarafa Outlook Client, der für die MAPI-basierte Anbindung von Microsoft Outlook an Zarafa verwendet wird, ausschließlich SSLv3-Verbindungen unterstützt. Die Tests dazu resultierten aus meinem Patch für den Zarafa-Server um SSL-/TLS-Einstellungen wie Protokoll-Version und Cipher Suite konfigurierbar zu machen. Aufgrund des nicht offenliegenden Quellcodes handelt es sich lediglich um Testergebnisse. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

For accessing e-mails, calendars, contacts and tasks of the groupware platform via Microsoft Outlook, Zarafa provides the proprietary Zarafa Outlook Client, also known as Zarafa Windows Client, Zarafa Outlook Plugin or Zarafa Client Connector. The Zarafa Outlook Client connects via MAPI in SOAP over HTTP(S) to the configured zarafa-server daemon/service. But when choosing (instead of default cleartext connection over HTTP) the encrypted HTTPS e.g. via TCP port 237, the encrypted connection between the client and the zarafa-server daemon/service is limited to SSLv3 due to the Zarafa Outlook Client.

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However, given that it has not yet been clarified whether POODLE is applicable to SSLv3 connections which are not being used for website content (and thus without e.g. HTTP session cookies), the usage of an SSLv3 connection is only or at least a risk. Additionally, the Federal Office for Information Security (BSI) of the Federal Republic of Germany also specifies in their document TR-02102-2 that SSLv3 is not to be used anymore.

While even the file README.win32 as part of e.g. zcp-win32-7.1.11.tar.gz still refers to openssl-win32-0.9.8k.zip and thus to OpenSSL 0.9.8k (released 2009-03-25), the Zarafa Outlook Client bundles OpenSSL 1.0.1c (released 2012-05-10) since version 7.1.2, and since Zarafa Outlook Client version 7.2.0 the OpenSSL 1.0.1j (released 2014-10-15) is bundled. The verification is e.g. possible under Linux using 7za x -so zarafaclient-7.1.11-47521.msi zarafa6client32.dll 2> /dev/null | strings | grep OpenSSL on the command line.

Reproducability

The following commands are only made public to demonstrate how to figure out whether the currently used Zarafa Outlook Client is limited to SSLv3 or not. In the very first beginning a SSL certificate is required. Given that a self-signed SSL certificate is sufficient it can be created by using openssl on the command line:

tux:~ # echo -e "--\n--\n--\n--\n\n\n\n" | openssl req -x509 -sha256 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7 2> /dev/null
tux:~ # ls -l cert.pem key.pem
total 8 -rw-r--r--. 1 root root 1874 Jan 31 16:00 cert.pem -rw-r--r--. 1 root root 3272 Jan 31 16:00 key.pem
tux:~ #

This SSL certificate is going to be used in the following stunnel configuration file. It is important to keep in mind that this stunnel configuration file does not replace the need to have a fully working Zarafa server setup listening at least on 127.0.0.1 on TCP port 236.

tux:~ # cat sslv3.conf
cert = cert.pem key = key.pem foreground = yes fips = no sslVersion = SSLv3 debug = 3 [238] accept = 0.0.0.0:238 connect = 127.0.0.1:236
tux:~ #

For the next step a Microsoft Outlook and the Zarafa Outlook Client are required; an existing Microsoft Outlook profile can be simply either reconfigured to use an encrypted connection and TCP port 238 or a new profile could be created as well. Starting stunnel leads to the following output on the command line:

tux:~ # stunnel sslv3.conf
2015.01.31 16:02:43 LOG3[11806:140486172817152]: SSL_accept: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2015.01.31 16:02:43 LOG3[11806:140486172747520]: SSL_accept: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2015.01.31 16:02:57 LOG3[11806:140486173304576]: SSL_read: Connection reset by peer (104) 2015.01.31 16:02:57 LOG3[11806:140486173234944]: SSL_read: Connection reset by peer (104) 2015.01.31 16:02:57 LOG3[11806:140486173026048]: SSL_read: Connection reset by peer (104) 2015.01.31 16:02:57 LOG3[11806:140486172886784]: SSL_read: Connection reset by peer (104) 2015.01.31 16:02:57 LOG3[11806:140486173165312]: SSL_read: Connection reset by peer (104) 2015.01.31 16:02:57 LOG3[11806:140486173095680]: SSL_read: Connection reset by peer (104)
^C
2015.01.31 16:02:59 LOG3[11806:140486173308864]: Received signal 2; terminating
tux:~ #

The start of Microsoft Outlook should succeed, the first two log lines are caused by the self-signed SSL certificate, the others are caused when closing Microsoft Outlook. Finally press Ctrl + C to stop stunnel as well.

Previous steps were related to SSLv3 only. The following steps are the same but with TLSv1.0 instead. The same SSL certificate is going to be used in the following stunnel configuration file. It is important to keep in mind that this stunnel configuration file does not replace the need to have a fully working Zarafa server setup listening at least on 127.0.0.1 on TCP port 236.

tux:~ # cat tlsv1.conf
cert = cert.pem key = key.pem foreground = yes fips = no sslVersion = TLSv1 debug = 3 [238] accept = 0.0.0.0:238 connect = 127.0.0.1:236
tux:~ #

For the next step a Microsoft Outlook and the Zarafa Outlook Client are required again; the previously used Microsoft Outlook profile can be simply either reused, another profile could be reconfigured to use an encrypted connection and TCP port 238 or a new profile could be created as well. Starting stunnel leads to the following output on the command line:

tux:~ # stunnel tlsv1.conf
2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2015.01.31 16:04:35 LOG3[11866:140180333680384]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
^C
2015.01.31 16:04:43 LOG3[11866:140180333684672]: Received signal 2; terminating
tux:~ #

Screenshot of error when using SSLv3-only Zarafa Outlook Client without SSLv3 with Microsoft Outlook 2010 The start of Microsoft Outlook fails with the error message like "Cannot open your default email folders. The information store could not be opened." or "Ihre Standard-E-Mail-Ordner können nicht geöffnet werden. Der Informationsspeicher steht zurzeit nicht zur Verfügung.". The exact error message depends on the version and language of Microsoft Outlook. Finally press Ctrl + C to stop stunnel as well.

Workaround

Given this issue is a design flaw the only workaround is to wrap the SSLv3 connection of the Zarafa Outlook Client by something like VPN (or another tunneling technology) where the encryption is ensured by the wrapping technology. However such a workaround might not provide the same end user comfort.

Solution

As there are fixed releases of the Zarafa Outlook Client available, an update is highly recommented over any workaround.

The flaw was initially technically solved by replacing the SSLv3-only requirement by a TLSv1.0-only requirement, thus the Zarafa Outlook Client <= 7.2.0 Beta 1 (47518) supports TLSv1.0, but does not support TLSv1.1 or TLSv1.2 and might be subjected to further (similar) issues in the future and especially in case of security related issues with TLSv1.0. The newer Zarafa Outlook Client >= 7.2.0 Beta 2 (47829) however supports TLSv1.0, TLSv1.1 and TLSv1.2.

Affected versions

Zarafa Outlook Client 4.1 Final, released 2006-02-22
Zarafa Outlook Client 4.11 Final, released 2006-03-25
Zarafa Outlook Client 4.20 Final (4211), released 2006-07-24
Zarafa Outlook Client 4.21 Final, released 2006-09-28
Zarafa Outlook Client 4.22 Final (4934), released 2006-10-23

Zarafa Outlook Client 5.00 Final, released 2006-12-18
Zarafa Outlook Client 5.01 Final, released 2007-02-26
Zarafa Outlook Client 5.02 Final (6453), released 2007-04-23
Zarafa Outlook Client 5.10 Final, released 2007-06-25
Zarafa Outlook Client 5.11 Final (7310), released 2007-08-21

Zarafa Outlook Client 5.20 Beta 1 (7332), released 2007-08-30
Zarafa Outlook Client 5.20 Beta 2 (7553), released 2007-09-06
Zarafa Outlook Client 5.20 RC 1 (7838), released 2007-09-21
Zarafa Outlook Client 5.20 Final (8007), released 2007-10-05
Zarafa Outlook Client 5.21 RC 1 (8123), released 2007-10-12
Zarafa Outlook Client 5.21 Final (8123), released 2007-10-29
Zarafa Outlook Client 5.22 Beta 1 (8452), released 2007-11-12
Zarafa Outlook Client 5.22 Beta 2 (8638), released 2007-11-27
Zarafa Outlook Client 5.22 RC 1 (8746), released 2007-12-06
Zarafa Outlook Client 5.22 RC 2 (8825), released 2007-12-12
Zarafa Outlook Client 5.22 Final (8825), released 2007-12-19
Zarafa Outlook Client 5.23 Beta 1 (9659), released 2008-02-19
Zarafa Outlook Client 5.23 RC 1 (9742), released 2008-02-29
Zarafa Outlook Client 5.23 Final (9742), released 2008-03-14
Zarafa Outlook Client 5.24 Beta 1 (10056), released 2008-04-10
Zarafa Outlook Client 5.24 RC 1 (10297), released 2008-05-20
Zarafa Outlook Client 5.24 Final (10384), released 2008-05-28
Zarafa Outlook Client 5.25 RC 1 (10783), released 2008-07-15
Zarafa Outlook Client 5.25 RC 2 (11089), released 2008-08-13
Zarafa Outlook Client 5.25 Final, released 2008-09-08
Zarafa Outlook Client 5.26 RC 1 (11917), released 2008-10-06
Zarafa Outlook Client 5.26 Final (12031), released 2008-10-20

Zarafa Outlook Client 6.00 TP (8740), released 2007-12-05
Zarafa Outlook Client 6.00 Beta 1 (8861), released 2007-12-12
Zarafa Outlook Client 6.00 Beta 2 (8958), released 2007-12-19
Zarafa Outlook Client 6.00 Beta 3 (9192), released 2008-01-07
Zarafa Outlook Client 6.00 Beta 4 (9351), released 2008-01-17
Zarafa Outlook Client 6.00 Beta 5 (9429), released 2008-01-23
Zarafa Outlook Client 6.00 Beta 6 (9507), released 2008-01-31
Zarafa Outlook Client 6.00 RC 1 (9537), released 2008-02-06
Zarafa Outlook Client 6.00 RC 2 (9668), released 2008-02-20
Zarafa Outlook Client 6.00 RC 3 (9699), released 2008-02-21
Zarafa Outlook Client 6.00 RC 4 (9754), released 2008-02-28
Zarafa Outlook Client 6.00 Final (9772), released 2008-03-01
Zarafa Outlook Client 6.01 Final (9831), released 2008-03-17
Zarafa Outlook Client 6.02 Beta 1 (9915), released 2008-03-27
Zarafa Outlook Client 6.02 RC 1 (9978), released 2008-04-03
Zarafa Outlook Client 6.02 RC 2 (10119), released 2008-04-16
Zarafa Outlook Client 6.02 RC 3 (10171), released 2008-04-23
Zarafa Outlook Client 6.02 Final (10238), released 2008-05-07
Zarafa Outlook Client 6.03 Beta 1 (10306), released 2008-05-15
Zarafa Outlook Client 6.03 Beta 2 (10599), released 2008-06-20
Zarafa Outlook Client 6.03 RC 1 (10708), released 2008-07-07
Zarafa Outlook Client 6.03 RC 2 (10767), released 2008-07-11
Zarafa Outlook Client 6.03 Final (10850), released 2008-07-18
Zarafa Outlook Client 6.04 Beta 1 (11084), released 2008-08-07
Zarafa Outlook Client 6.04 RC 1 (11343)
Zarafa Outlook Client 6.04 RC 2 (11489), released 2008-09-04
Zarafa Outlook Client 6.04 Final (11575), released 2008-09-11
Zarafa Outlook Client 6.05 Beta 1 (11869), released 2008-09-25
Zarafa Outlook Client 6.05 RC 1 (12080), released 2008-10-09
Zarafa Outlook Client 6.05 RC 2 (12224), released 2008-10-23
Zarafa Outlook Client 6.05 Final (12338), released 2008-11-06

Zarafa Outlook Client 6.10 Beta 1
Zarafa Outlook Client 6.10 Beta 2 (9840), released 2008-03-20
Zarafa Outlook Client 6.10 Beta 3 (9997), released 2008-04-03
Zarafa Outlook Client 6.10 Beta 4 (10217), released 2008-04-29
Zarafa Outlook Client 6.10 RC 1 (10228), released 2008-05-07
Zarafa Outlook Client 6.10 RC 2 (10305), released 2008-05-23
Zarafa Outlook Client 6.10 RC 3 (10535), released 2008-06-17
Zarafa Outlook Client 6.10 Final, released 2008-07-08
Zarafa Outlook Client 6.11 Beta 1
Zarafa Outlook Client 6.11 Beta 2 (10897), released 2008-07-29
Zarafa Outlook Client 6.11 RC 1 (11344), released 2008-08-22
Zarafa Outlook Client 6.11 RC 2 (11490), released 2008-09-02
Zarafa Outlook Client 6.11 Final (11612), released 2008-09-10
Zarafa Outlook Client 6.12 Beta 1 (11955), released 2008-10-01
Zarafa Outlook Client 6.12 RC 1 (12225), released 2008-11-21
Zarafa Outlook Client 6.12 RC 2 (13060), released 2009-01-15
Zarafa Outlook Client 6.12 Final (13060), released 2009-01-23

Zarafa Outlook Client 6.20 Beta 1 (11098), released 2008-08-06
Zarafa Outlook Client 6.20 Beta 2 (11647), released 2008-09-12
Zarafa Outlook Client 6.20 Beta 3 (11749), released 2008-09-18
Zarafa Outlook Client 6.20 Beta 4 (11804), released 2008-09-23
Zarafa Outlook Client 6.20 Beta 5 (12487), released 2008-11-14
Zarafa Outlook Client 6.20 Beta 6 (12710), released 2008-12-04
Zarafa Outlook Client 6.20 RC 1 (12850), released 2008-12-16
Zarafa Outlook Client 6.20 RC 2 (12993), released 2008-12-30
Zarafa Outlook Client 6.20 RC 3 (13153), released 2009-01-12
Zarafa Outlook Client 6.20 Final (13194), released 2009-01-16
Zarafa Outlook Client 6.20.1 Unstable (13370), released 2009-01-24
Zarafa Outlook Client 6.20.1 Final (13464), released 2009-02-03
Zarafa Outlook Client 6.20.2 Beta (13556), released 2009-02-04
Zarafa Outlook Client 6.20.2 Final (13651), released 2009-02-25
Zarafa Outlook Client 6.20.3 Beta 1 (13831), released 2009-02-28
Zarafa Outlook Client 6.20.3 Beta 2 (13865), released 2009-03-04
Zarafa Outlook Client 6.20.3 Final (13865), released 2009-03-19
Zarafa Outlook Client 6.20.4 Beta (14050), released 2009-03-22
Zarafa Outlook Client 6.20.4 Final (14107), released 2009-04-03
Zarafa Outlook Client 6.20.5 Beta 1 (14316), released 2009-04-08
Zarafa Outlook Client 6.20.5 Beta 2 (14478), released 2009-04-23
Zarafa Outlook Client 6.20.5 Final (14478), released 2009-04-28
Zarafa Outlook Client 6.20.6 Beta 1 (14659), released 2009-05-05
Zarafa Outlook Client 6.20.6 Beta 2 (14742), released 2009-05-12
Zarafa Outlook Client 6.20.6 Beta 3 (14790), released 2009-05-18
Zarafa Outlook Client 6.20.6 Final, released 2009-05-27
Zarafa Outlook Client 6.20.7 Beta (15038), released 2009-06-09
Zarafa Outlook Client 6.20.7 Final, released 2009-06-24
Zarafa Outlook Client 6.20.8 Beta 1 (15498), released 2009-07-06
Zarafa Outlook Client 6.20.8 Beta 2 (15555), released 2009-07-10
Zarafa Outlook Client 6.20.8 Final (15686), released 2009-07-24
Zarafa Outlook Client 6.20.9 Beta (16075), released 2009-08-05
Zarafa Outlook Client 6.20.9 Final (16156)
Zarafa Outlook Client 6.20.10 Beta 1 (16543), released 2009-09-01
Zarafa Outlook Client 6.20.10 Beta 2 (16601), released 2009-09-07
Zarafa Outlook Client 6.20.10 Final (16734), released 2009-09-24
Zarafa Outlook Client 6.20.11 Beta (17080), released 2009-10-06
Zarafa Outlook Client 6.20.11 Final (17604), released 2009-11-12
Zarafa Outlook Client 6.20.12 Final (18389), released 2010-01-14
Zarafa Outlook Client 6.20.13 Beta 1, released 2010-03-03
Zarafa Outlook Client 6.20.13 Final (19023), released 2010-04-01

Zarafa Outlook Client 6.30.0 Beta 1 (13713), released 2009-02-24
Zarafa Outlook Client 6.30.0 Beta 2 (13995), released 2009-03-20
Zarafa Outlook Client 6.30.0 Beta 3 (14291), released 2009-04-07
Zarafa Outlook Client 6.30.0 RC 1a (14510), released 2009-04-25
Zarafa Outlook Client 6.30.0 RC 1b (14609), released 2009-04-29
Zarafa Outlook Client 6.30.0 RC 1c (14675), released 2009-05-07
Zarafa Outlook Client 6.30.0 RC 1d (14757), released 2009-05-13
Zarafa Outlook Client 6.30.0 RC 1e (14802), released 2009-05-18
Zarafa Outlook Client 6.30.0 RC 1 (14802), released 2009-05-20
Zarafa Outlook Client 6.30.0 RC 2 (15089), released 2009-06-13
Zarafa Outlook Client 6.30.0 RC 3a (15217), released 2009-06-18
Zarafa Outlook Client 6.30.0 RC 3b
Zarafa Outlook Client 6.30.0 RC 3c (15472), released 2009-07-03
Zarafa Outlook Client 6.30.0 RC 3 (15545), released 2009-07-08
Zarafa Outlook Client 6.30.0 Final (15765), released 2009-07-23
Zarafa Outlook Client 6.30.1 Beta (16054), released 2009-07-30
Zarafa Outlook Client 6.30.1 Final (16192), released 2009-08-20
Zarafa Outlook Client 6.30.2 Beta 1 (16415), released 2009-08-26
Zarafa Outlook Client 6.30.2 Beta 2 (16493), released 2009-08-28
Zarafa Outlook Client 6.30.2 Beta 3 (16545), released 2009-09-01
Zarafa Outlook Client 6.30.2 Final (16545), released 2009-09-11
Zarafa Outlook Client 6.30.3 Pre-Beta (16905), released 2009-09-24
Zarafa Outlook Client 6.30.3 Beta (16954), released 2009-09-28
Zarafa Outlook Client 6.30.3 Final (17192), released 2009-10-15
Zarafa Outlook Client 6.30.4 Final (17264), released 2009-10-28
Zarafa Outlook Client 6.30.5 Beta (17418), released 2009-10-27
Zarafa Outlook Client 6.30.5 Final (17658), released 2009-11-18
Zarafa Outlook Client 6.30.6 Beta 1, released 2009-12-04
Zarafa Outlook Client 6.30.6 Final (18063), released 2009-12-16
Zarafa Outlook Client 6.30.7 Beta 1, released 2009-12-24
Zarafa Outlook Client 6.30.7 Final (18277), released 2010-01-06
Zarafa Outlook Client 6.30.8 Final (18345), released 2010-01-12
Zarafa Outlook Client 6.30.9 Final (18385), released 2010-01-14
Zarafa Outlook Client 6.30.10 Beta 1 (18396), released 2010-01-15
Zarafa Outlook Client 6.30.10 Beta 2, released 2010-01-27
Zarafa Outlook Client 6.30.10 Final (18495), released 2010-02-02
Zarafa Outlook Client 6.30.11 Beta 1 (18797), released 2010-02-15
Zarafa Outlook Client 6.30.11 Beta 2, released 2010-02-24
Zarafa Outlook Client 6.30.11 Final (18984), released 2010-03-02
Zarafa Outlook Client 6.30.12 Final (19435), released 2010-03-19
Zarafa Outlook Client 6.30.13 Beta 1, released 2010-04-01
Zarafa Outlook Client 6.30.13 Beta 2, released 2010-04-15
Zarafa Outlook Client 6.30.13 Final (19788), released 2010-04-21
Zarafa Outlook Client 6.30.14 Final (20002), released 2010-04-28
Zarafa Outlook Client 6.30.15 Beta 1 (20234), released 2010-05-14
Zarafa Outlook Client 6.30.15 Beta 2 (21170), released 2010-06-28
Zarafa Outlook Client 6.30.15 Final (21229), released 2010-07-20
Zarafa Outlook Client 6.30.16 Beta 1 (21699), released 2010-07-29
Zarafa Outlook Client 6.30.16 Beta 2 (21846), released 2010-08-05
Zarafa Outlook Client 6.30.16 Final (21846), released 2010-08-31
Zarafa Outlook Client 6.30.17 Beta 1 (23117), released 2010-10-01
Zarafa Outlook Client 6.30.17 Beta 2 (23285), released 2010-10-15
Zarafa Outlook Client 6.30.17 Final (23285), released 2010-10-29
Zarafa Outlook Client 6.30.18 Beta 1 (23963), released 2010-12-03
Zarafa Outlook Client 6.30.18 Beta 2 (24292), released 2010-12-17
Zarafa Outlook Client 6.30.18 Final (24292), released 2010-12-20
Zarafa Outlook Client 6.30.19 Beta 1 (24945), released 2011-01-28
Zarafa Outlook Client 6.30.19 Final (25148), released 2011-02-10

Zarafa Outlook Client 6.40.0 Alpha 1 (16056), released 2009-08-03
Zarafa Outlook Client 6.40.0 Alpha 2 (16731), released 2009-09-14
Zarafa Outlook Client 6.40.0 Alpha 3 (16832), released 2009-09-18
Zarafa Outlook Client 6.40.0 Beta 1 (16858), released 2009-09-21
Zarafa Outlook Client 6.40.0 Pre-Beta 2 (17469), released 2009-10-29
Zarafa Outlook Client 6.40.0 Beta 2 (17498), released 2009-10-30
Zarafa Outlook Client 6.40.0 Beta 3, released 2009-12-11
Zarafa Outlook Client 6.40.0 RC 1 (18537), released 2010-01-26
Zarafa Outlook Client 6.40.0 RC 2 (18871), released 2010-02-16
Zarafa Outlook Client 6.40.0 RC 3 (19159), released 2010-03-08
Zarafa Outlook Client 6.40.0 RC 4 (19574), released 2010-04-01
Zarafa Outlook Client 6.40.0 RC 5 (19792), released 2010-04-16
Zarafa Outlook Client 6.40.0 RC 6 (19899), released 2010-04-26
Zarafa Outlook Client 6.40.0 RC 7 (20343), released 2010-05-14
Zarafa Outlook Client 6.40.0 RC 8 (20419), released 2010-05-21
Zarafa Outlook Client 6.40.0 RC 9 (20653), released 2010-06-02
Zarafa Outlook Client 6.40.0 Final (20653), released 2010-06-09
Zarafa Outlook Client 6.40.1 Beta 1 (21473), released 2010-07-20
Zarafa Outlook Client 6.40.1 Beta 2 (21742), released 2010-07-30
Zarafa Outlook Client 6.40.1 Final (21780), released 2010-08-05
Zarafa Outlook Client 6.40.2 Beta 1 (22288), released 2010-08-20
Zarafa Outlook Client 6.40.2 Beta 2 (22361), released 2010-08-25
Zarafa Outlook Client 6.40.2 Final (22452), released 2010-08-31
Zarafa Outlook Client 6.40.3 Beta 1 (22703), released 2010-09-10
Zarafa Outlook Client 6.40.3 Beta 2 (23043), released 2010-09-29
Zarafa Outlook Client 6.40.3 Beta 3 (23181), released 2010-10-07
Zarafa Outlook Client 6.40.3 Beta 4 (23410), released 2010-10-22
Zarafa Outlook Client 6.40.3 Final (23410), released 2010-10-27
Zarafa Outlook Client 6.40.4 Beta 1 (23477), released 2010-11-11
Zarafa Outlook Client 6.40.4 Beta 2 (23895), released 2010-11-19
Zarafa Outlook Client 6.40.4 Beta 3 (24031), released 2010-11-26
Zarafa Outlook Client 6.40.4 Beta 4 (24179), released 2010-12-07
Zarafa Outlook Client 6.40.4 Final (24200), released 2010-12-03
Zarafa Outlook Client 6.40.4 Final (24121), released 2010-12-10
Zarafa Outlook Client 6.40.5 Beta 1 (24479), released 2010-12-28
Zarafa Outlook Client 6.40.5 Beta 2 (24764), released 2011-01-14
Zarafa Outlook Client 6.40.5 Final (24860), released 2011-01-25
Zarafa Outlook Client 6.40.6 Beta 1, released 2011-02-08
Zarafa Outlook Client 6.40.6 Beta 2, released 2011-02-28
Zarafa Outlook Client 6.40.6 Final (25584), released 2011-03-10
Zarafa Outlook Client 6.40.7 Beta 1, released 2011-03-23
Zarafa Outlook Client 6.40.7 Final (26119), released 2011-03-29
Zarafa Outlook Client 6.40.8 Beta 1, released 2011-05-06
Zarafa Outlook Client 6.40.8 Final (27223), released 2011-05-20
Zarafa Outlook Client 6.40.9 Beta 1 (27453), released 2011-06-06
Zarafa Outlook Client 6.40.9 Final (27553), released 2011-06-08
Zarafa Outlook Client 6.40.10 Beta 1, released 2011-07-11
Zarafa Outlook Client 6.40.10 Final (28214), released 2011-07-21
Zarafa Outlook Client 6.40.11 Beta 1 (28776), released 2011-08-19
Zarafa Outlook Client 6.40.11 Final (289659, released 2011-08-31
Zarafa Outlook Client 6.40.12 Beta 1 (29729), released 2011-10-10
Zarafa Outlook Client 6.40.12 Final (29942), released 2011-10-20
Zarafa Outlook Client 6.40.13 Beta 1 (30596), released 2011-11-21
Zarafa Outlook Client 6.40.13 Beta 2 (30778), released 2011-12-01
Zarafa Outlook Client 6.40.13 Final (30778), released 2011-12-08
Zarafa Outlook Client 6.40.14 Beta 1 (31462), released 2012-01-06
Zarafa Outlook Client 6.40.14 Final (31537), released 2012-01-19
Zarafa Outlook Client 6.40.15 Beta 1 (33246), released 2012-03-29
Zarafa Outlook Client 6.40.15 Final (33766), released 2012-04-12
Zarafa Outlook Client 6.40.16 Final (34239), released 2012-05-04
Zarafa Outlook Client 6.40.17 Beta 1 (35609), released 2012-07-05
Zarafa Outlook Client 6.40.17 Final (35943), released 2012-07-19

Zarafa Outlook Client 7.0.0 TP (23713), released 2010-11-05
Zarafa Outlook Client 7.0.0 Alpha 1 (23713), released 2010-11-05
Zarafa Outlook Client 7.0.0 Beta 1 (24488), released 2010-12-30
Zarafa Outlook Client 7.0.0 Beta 2 (24874), released 2011-01-21
Zarafa Outlook Client 7.0.0 Beta 3 (25734), released 2011-03-08
Zarafa Outlook Client 7.0.0 RC 1 (26667), released 2011-04-21
Zarafa Outlook Client 7.0.0 RC 2 (27588), released 2011-06-10
Zarafa Outlook Client 7.0.0 Final (27791), released 2011-06-27
Zarafa Outlook Client 7.0.1 Beta 1 (28354), released 2011-07-26
Zarafa Outlook Client 7.0.1 Beta 2 (28479), released 2011-08-04
Zarafa Outlook Client 7.0.1 Final (28479), released 2011-08-12
Zarafa Outlook Client 7.0.2 Beta 1 (29238), released 2011-09-15
Zarafa Outlook Client 7.0.2 Final (29470), released 2011-09-29
Zarafa Outlook Client 7.0.3 Beta 1 (30283), released 2011-11-03
Zarafa Outlook Client 7.0.3 Beta 2 (30383), released 2011-11-11
Zarafa Outlook Client 7.0.3 Final (30515), released 2011-11-17
Zarafa Outlook Client 7.0.4 Beta 1 (31042), released 2011-12-09
Zarafa Outlook Client 7.0.4 Beta 2 (31131), released 2011-12-15
Zarafa Outlook Client 7.0.4 Final (31235), released 2011-12-22
Zarafa Outlook Client 7.0.5 Beta 1 (31699), released 2012-01-20
Zarafa Outlook Client 7.0.5 Final (31880), released 2012-02-02
Zarafa Outlook Client 7.0.6 Beta 1 (32585), released 2012-03-02
Zarafa Outlook Client 7.0.6 Final (32752), released 2012-03-15
Zarafa Outlook Client 7.0.7 Beta 1 (33784), released 2012-04-13
Zarafa Outlook Client 7.0.7 Beta 2 (34052), released 2012-04-26
Zarafa Outlook Client 7.0.7 Final (34256), released 2012-05-04
Zarafa Outlook Client 7.0.8 Beta 1 (35040), released 2012-06-08
Zarafa Outlook Client 7.0.8 Final (35178), released 2012-06-19
Zarafa Outlook Client 7.0.9 Beta 1 (36013), released 2012-07-19
Zarafa Outlook Client 7.0.9 Beta 2 (36190), released 2012-07-26
Zarafa Outlook Client 7.0.9 Beta 3 (36358), released 2012-08-03
Zarafa Outlook Client 7.0.9 Final (36358), released 2012-08-10
Zarafa Outlook Client 7.0.10 Beta 1 (37262), released 2012-09-20
Zarafa Outlook Client 7.0.10 Final (37482), released 2012-10-04
Zarafa Outlook Client 7.0.10 Final (38325), released 2012-11-14
Zarafa Outlook Client 7.0.11 Beta 1 (38406), released 2012-11-16
Zarafa Outlook Client 7.0.11 Beta 2 (38914), released 2012-11-30
Zarafa Outlook Client 7.0.11 Final (39120), released 2012-12-08
Zarafa Outlook Client 7.0.12 Beta 1 (39988), released 2013-01-10
Zarafa Outlook Client 7.0.12 Final (40336), released 2013-01-24
Zarafa Outlook Client 7.0.12 Final (41039), released 2013-02-13
Zarafa Outlook Client 7.0.13 Final (41388), released 2013-03-01
Zarafa Outlook Client 7.0.13 Final (41779), released 2013-04-15
Zarafa Outlook Client 7.0.14 Beta 1 (41924), released 2013-05-23
Zarafa Outlook Client 7.0.14 Final (42060), released 2013-07-01
Zarafa Outlook Client 7.0.14 Final (42121), released 2013-07-12
Zarafa Outlook Client 7.0.14 Final (42173), released 2013-07-25
Zarafa Outlook Client 7.0.14 Final (42368), released 2013-08-14
Zarafa Outlook Client 7.0.14 Final (42674), released 2013-09-16
Zarafa Outlook Client 7.0.15 Beta 1 (42582), released 2013-09-03
Zarafa Outlook Client 7.0.15 Beta 2 (42658), released 2013-09-13
Zarafa Outlook Client 7.0.15 Final (42709), released 2013-09-20
Zarafa Outlook Client 7.0.15 Final (42766), released 2013-10-01
Zarafa Outlook Client 7.0.15 Final (42835), released 2013-10-09
Zarafa Outlook Client 7.0.15 Final (43116), released 2013-11-15
Zarafa Outlook Client 7.0.15 Final (43131), released 2013-11-18
Zarafa Outlook Client 7.0.15 Final (43595), released 2014-01-15
Zarafa Outlook Client 7.0.15 Final (43934), released 2014-02-12
Zarafa Outlook Client 7.0.15 Final (44066), released 2014-02-27
Zarafa Outlook Client 7.0.15 Final (44883), released 2014-05-13
Zarafa Outlook Client 7.0.15 Final (44889), released 2014-05-14
Zarafa Outlook Client 7.0.15 Final (46209), released 2014-09-19
Zarafa Outlook Client 7.0.15 Final (45805), released 2014-10-20
Zarafa Outlook Client 7.0.15 Final (46755), released 2014-11-13
Zarafa Outlook Client 7.0.15 Final (46774), released 2014-11-14
Zarafa Outlook Client 7.0.15 Final (46778), released 2014-11-14
Zarafa Outlook Client 7.0.15 Final (47520), released 2015-01-19
Zarafa Outlook Client 7.0.15 Final (48009), released 2015-02-20
Zarafa Outlook Client 7.0.15 Final (48512), released 2015-03-27

Zarafa Outlook Client 7.1.0 Beta 1 (33926), released 2012-04-19
Zarafa Outlook Client 7.1.0 Beta 2 (34517), released 2012-05-11
Zarafa Outlook Client 7.1.0 Beta 3 (34833), released 2012-06-01
Zarafa Outlook Client 7.1.0 RC 1 (35476), released 2012-06-29
Zarafa Outlook Client 7.1.0 RC 2 (36025), released 2012-07-19
Zarafa Outlook Client 7.1.0 RC 3 (36420), released 2012-08-09
Zarafa Outlook Client 7.1.0 Final (36420), released 2012-08-23
Zarafa Outlook Client 7.1.1 Beta 1 (37267), released 2012-09-20
Zarafa Outlook Client 7.1.1 Beta 2 (37519), released 2012-10-04
Zarafa Outlook Client 7.1.1 Final (37812), released 2012-10-19
Zarafa Outlook Client 7.1.1 Final (38327), released 2012-11-14
Zarafa Outlook Client 7.1.2 Beta 1 (38366), released 2012-11-15
Zarafa Outlook Client 7.1.2 Beta 2 (38915), released 2012-11-30
Zarafa Outlook Client 7.1.2 Final (39121), released 2012-12-08
Zarafa Outlook Client 7.1.3 Beta 1 (39980), released 2013-01-10
Zarafa Outlook Client 7.1.3 Final (40304), released 2013-01-24
Zarafa Outlook Client 7.1.3 Final (41038), released 2013-02-13
Zarafa Outlook Client 7.1.4 Final (41394), released 2013-03-01
Zarafa Outlook Client 7.1.4 Final (41819), released 2013-04-19
Zarafa Outlook Client 7.1.5 Beta 1 (41923), released 2013-05-23
Zarafa Outlook Client 7.1.5 Final (42059), released 2013-07-01
Zarafa Outlook Client 7.1.5 Final (42115), released 2013-07-12
Zarafa Outlook Client 7.1.5 Final (42174), released 2013-07-25
Zarafa Outlook Client 7.1.5 Final (42369), released 2013-08-14
Zarafa Outlook Client 7.1.5 Final (42673), released 2013-09-13
Zarafa Outlook Client 7.1.6 Beta 1 (42574), released 2013-09-03
Zarafa Outlook Client 7.1.6 Beta 2 (42668), released 2013-09-13
Zarafa Outlook Client 7.1.6 Final (42710), released 2013-09-20
Zarafa Outlook Client 7.1.7 Final (42779), released 2013-10-03
Zarafa Outlook Client 7.1.7 Final (42840), released 2013-11-15
Zarafa Outlook Client 7.1.7 Final (43119), released 2013-11-15
Zarafa Outlook Client 7.1.7 Final (43126), released 2013-11-17
Zarafa Outlook Client 7.1.7 Final (43590), released 2014-01-15
Zarafa Outlook Client 7.1.8 Beta 1 (42841), released 2013-10-10
Zarafa Outlook Client 7.1.8 Beta 2 (43059), released 2013-11-08
Zarafa Outlook Client 7.1.8 Beta 3 (43454), released 2013-12-20
Zarafa Outlook Client 7.1.8 RC 1 (43691), released 2014-01-23
Zarafa Outlook Client 7.1.8 Final (43801), released 2014-01-30
Zarafa Outlook Client 7.1.8 Final (43932), released 2014-02-12
Zarafa Outlook Client 7.1.8 Final R1 (44004), released 2014-02-20
Zarafa Outlook Client 7.1.8 Final R1 (44068), released 2014-02-27
Zarafa Outlook Client 7.1.9 Beta 1 (44152), released 2014-03-12
Zarafa Outlook Client 7.1.9 RC 1 (44268), released 2014-03-24
Zarafa Outlook Client 7.1.9 Final (44333), released 2014-03-31
Zarafa Outlook Client 7.1.9 Final (44884), released 2014-05-13
Zarafa Outlook Client 7.1.9 Final (44888), released 2014-05-14
Zarafa Outlook Client 7.1.10 Beta 1 (44846), released 2014-05-12
Zarafa Outlook Client 7.1.10 RC 1 (44973), released 2014-05-26
Zarafa Outlook Client 7.1.10 Final (44973), released 2014-06-03
Zarafa Outlook Client 7.1.10 Final (45619), released 2014-08-01
Zarafa Outlook Client 7.1.11 Beta 1 (45653), released 2014-08-07
Zarafa Outlook Client 7.1.11 Final (45875), released 2014-08-26
Zarafa Outlook Client 7.1.11 Final R1 (46050), released 2014-09-05
Zarafa Outlook Client 7.1.11 Final R1 (46188), released 2014-09-19
Zarafa Outlook Client 7.1.11 Final R1 (46480), released 2014-10-20
Zarafa Outlook Client 7.1.11 Final R1 (46757), released 2014-11-13
Zarafa Outlook Client 7.1.11 Final R1 (46775), released 2014-11-14
Zarafa Outlook Client 7.1.11 Final R1 (46779), released 2014-11-14
Zarafa Outlook Client 7.1.11 Final R1 (47521), released 2015-01-19
Zarafa Outlook Client 7.1.12 Beta 1 (47484), released 2015-01-16
Zarafa Outlook Client 7.1.12 Beta 1 (47531), released 2015-01-19

Fixed versions

Zarafa Outlook Client 7.1.11 Final R1 (48011), released 2015-02-19
Zarafa Outlook Client 7.1.11 Final R1 (48330), released 2015-03-13
Zarafa Outlook Client 7.1.11 Final R1 (48341), released 2015-03-17
Zarafa Outlook Client 7.1.11 Final R1 (48396), released 2015-03-18
Zarafa Outlook Client 7.1.11 Final R1 (48449), released 2015-03-20
Zarafa Outlook Client 7.1.11 Final R1 (48574), released 2015-03-27
Zarafa Outlook Client 7.1.12 Beta 1 (48008), released 2015-02-19
Zarafa Outlook Client 7.1.12 Beta 2 (48455), released 2015-03-20
Zarafa Outlook Client 7.1.12 Beta 2 (48545), released 2015-03-27
Zarafa Outlook Client 7.1.12 Final (48726), released 2015-04-07
Zarafa Outlook Client 7.1.12 Final (48899), released 2015-04-17
Zarafa Outlook Client 7.1.12 Final (48997), released 2015-04-21
Zarafa Outlook Client 7.1.12 Final R1 (49411), released 2015-05-08
Zarafa Outlook Client 7.1.12 Final R1 (49539), released 2015-05-12
Zarafa Outlook Client 7.1.12 Final R1 (49565), released 2015-05-13

Zarafa Outlook Client 7.2.0 Beta 1 (46984), released 2014-12-05
Zarafa Outlook Client 7.2.0 Beta 1 (47004), released 2014-12-05
Zarafa Outlook Client 7.2.0 Beta 1 (47518), released 2015-01-19
Zarafa Outlook Client 7.2.0 Beta 2 (47829), released 2015-02-09
Zarafa Outlook Client 7.2.0 Beta 2 (47909), released 2015-02-10
Zarafa Outlook Client 7.2.0 Beta 2 (48012), released 2015-02-20
Zarafa Outlook Client 7.2.0 Final (48204), released 2015-03-05
Zarafa Outlook Client 7.2.0 Final (48554), released 2015-03-27
Zarafa Outlook Client 7.2.0 Final (48896), released 2015-04-17
Zarafa Outlook Client 7.2.0 Final (48980), released 2015-04-21
Zarafa Outlook Client 7.2.0 Final (49543), released 2015-05-12
Zarafa Outlook Client 7.2.0 Final (49564), released 2015-05-13

CVE information

No MITRE Corporation Common Vulnerabilities and Exposures (CVE) number has been assigned. Currently, the following other identifications are known for this issue:

Disclosure timeline

2014-04-02: Initial risk verification for Zarafa Outlook Client
2014-04-02: Initial vendor notification
2014-04-04: Initial vendor response and acknowledgement
2014-12-05: Vendor provides a fixed public beta/pre-release
2015-01-15: Vendor announces EOL for Zarafa Outlook Client in Q1/2016
2015-01-31: Coordinated public disclosure
2015-02-19: Vendor releases a fixed public final version

Credit

Zarafa Outlook Client being affected by this risk was discovered, analyzed and reported by Robert Scheck.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.