Robert Scheck

• Homepage
• Linux
• Internet
• Security
  • Advisories
  • Suchen
• IRC-Chat
• Tools
• FTP
• Kontakt
• Links

CVE-2014-5448: Incorrect default permission in Zarafa

Am 15. August 2014 habe ich entdeckt, dass die standardmäßige Verzeichnisberechtigung von "/var/log/zarafa/" (Zarafa Collaboration Platform) nicht ausreichend restriktiv genug ist und damit die Protokoll-Dateien der Zarafa-Dienste von einem lokalen Angreifer gelesen werden können. Abhängig vom Log-Level der Dienste handelt es sich nur um z.B. Betreff, Absender, Empfänger und Message-ID von E-Mails, jedoch können auch Mitschnitte der Dienste bzw. Protokolle IMAP, POP3, CalDAV und iCal im Klartext einschließlich Kennwörtern enthalten sein. Nachfolgend das Security Advisory in englischer Sprache:

Background

Zarafa is a leading European provider of open source groupware and collaboration software. The core product is the Zarafa Collaboration Platform (ZCP), an European open and compatible groupware platform that can be used as a drop-in Microsoft Exchange replacement for e-mail, calendaring, collaboration and tasks (origin: Zarafa company profile).

Description

All daemons/services of the Zarafa Collaboration Platform offer two different logging methods, either one logfile per service in /var/log/zarafa/ (which is the default) or alternatively sending the messages to syslog which adds it to the default maillog of the system. But the default permission of the log directory is world-readable, thus a local attacker can access all Zarafa logfiles read-only if the default logging configuration rather syslog is used.

CVSS v2 metrics

• Base Score: 2.1
• Base Metrics: AV:L/AC:L/Au:N/C:P/I:N/A:N
• Access Vector: Local
• Access Complexity: Low
• Authentication: None
• Confidentiality Impact: Partial
• Integrity Impact: None
• Availability Impact: None

Analysis

There is no exploitation which would allow unauthenticated remote attackers to gain root access. However if an attacker gains access to the log files the leaked information (depending on the log level of the given Zarafa daemon/service) range from only e.g. subject, sender/recipient, message-id, SMTP queue ID of in- and outbound e-mails up to even a full cleartext protocol dump of IMAP, POP3, CalDAV and iCal as well (including possible credentials), thus further information leaks or attacks might be possible.

Reproducability

Even the following commands could be used to actively exploit and abuse this flaw they are only made public to analyze if the system in question is vulnerable or not.

robert@tux:~ > id
uid=1000(robert) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
robert@tux:~ >

A system with the Zarafa Collaboration Platform is affected if the following command can be run as non-privileged system user without any permission error and the log directory itself has world readable permissions.

robert@tux:~ > ls -la /var/log/zarafa/
total 78988
drwxr-xr-x. 2 root root 4096 Sep 1 21:56 .
drwxr-xr-x. 9 root root 4096 Sep 1 21:52 ..
-rw-r--r--. 1 root root 2820 Sep 1 21:55 dagent.log
-rw-r--r--. 1 root root 41668415 Sep 1 21:55 gateway.log
-rw-r--r--. 1 root root 70411 Sep 1 21:55 ical.log
-rw-r--r--. 1 root root 12284 Sep 1 21:55 licensed.log
-rw-r--r--. 1 root root 58672 Sep 1 21:55 monitor.log
-rw-r--r--. 1 root root 19362581 Sep 1 21:55 search.log
-rw-r--r--. 1 root root 19503403 Sep 1 21:56 server.log
-rw-r--r--. 1 root root 180693 Sep 1 21:55 spooler.log
robert@tux:~ >

Workaround

Until a fixed version of the Zarafa Collaboration Platform is available (or for a system where a possible future update can not be applied for different reasons) the following command can be used to correct the wrong permission.

tux:~ # chmod 750 /var/log/zarafa/
tux:~ #

The command above is however only treated as a workaround because a possible non-fixed intermediate update of the Zarafa Collaboration Platform might revert this manually corrected permission again.

Solution

As there are fixed releases of the Zarafa Collaboration Platform available, an update is highly recommented over any workaround.

Affected versions

• Zarafa 5.00 Final, released 2006-12-18
• Zarafa 5.01 Final, released 2007-02-26
• Zarafa 5.02 Final (6453), released 2007-04-23
• Zarafa 5.10 Final, released 2007-06-25
• Zarafa 5.11 Final (7310), released 2007-08-21

• Zarafa 5.20 Beta 1 (7332), released 2007-08-30
• Zarafa 5.20 Beta 2 (7553), released 2007-09-06
• Zarafa 5.20 RC 1 (7838), released 2007-09-21
• Zarafa 5.20 Final (8007), released 2007-10-05
• Zarafa 5.21 RC 1 (8123), released 2007-10-12
• Zarafa 5.21 Final (8123), released 2007-10-29
• Zarafa 5.22 Beta 1 (8452), released 2007-11-12
• Zarafa 5.22 Beta 2 (8638), released 2007-11-27
• Zarafa 5.22 RC 1 (8746), released 2007-12-06
• Zarafa 5.22 RC 2 (8825), released 2007-12-12
• Zarafa 5.22 Final (8825), released 2007-12-19
• Zarafa 5.23 Beta 1 (9659), released 2008-02-19
• Zarafa 5.23 RC 1 (9742), released 2008-02-29
• Zarafa 5.23 Final (9742), released 2008-03-14
• Zarafa 5.24 Beta 1 (10056), released 2008-04-10
• Zarafa 5.24 RC 1 (10297), released 2008-05-20
• Zarafa 5.24 Final (10384), released 2008-05-28
• Zarafa 5.25 RC 1 (10783), released 2008-07-15
• Zarafa 5.25 RC 2 (11089), released 2008-08-13
• Zarafa 5.25 Final, released 2008-09-08
• Zarafa 5.26 RC 1 (11917), released 2008-10-06
• Zarafa 5.26 Final (12031), released 2008-10-20

• Zarafa 6.00 TP (8740), released 2007-12-05
• Zarafa 6.00 Beta 1 (8861), released 2007-12-12
• Zarafa 6.00 Beta 2 (8958), released 2007-12-19
• Zarafa 6.00 Beta 3 (9192), released 2008-01-07
• Zarafa 6.00 Beta 4 (9351), released 2008-01-17
• Zarafa 6.00 Beta 5 (9429), released 2008-01-23
• Zarafa 6.00 Beta 6 (9507), released 2008-01-31
• Zarafa 6.00 RC 1 (9537), released 2008-02-06
• Zarafa 6.00 RC 2 (9668), released 2008-02-20
• Zarafa 6.00 RC 3 (9699), released 2008-02-21
• Zarafa 6.00 RC 4 (9754), released 2008-02-28
• Zarafa 6.00 Final (9772), released 2008-03-01
• Zarafa 6.01 Final (9831), released 2008-03-17
• Zarafa 6.02 Beta 1 (9915), released 2008-03-27
• Zarafa 6.02 RC 1 (9978), released 2008-04-03
• Zarafa 6.02 RC 2 (10119), released 2008-04-16
• Zarafa 6.02 RC 3 (10171), released 2008-04-23
• Zarafa 6.02 Final (10238), released 2008-05-07
• Zarafa 6.03 Beta 1 (10306), released 2008-05-15
• Zarafa 6.03 Beta 2 (10599), released 2008-06-20
• Zarafa 6.03 RC 1 (10708), released 2008-07-07
• Zarafa 6.03 RC 2 (10767), released 2008-07-11
• Zarafa 6.03 Final (10850), released 2008-07-18
• Zarafa 6.04 Beta 1 (11084), released 2008-08-07
• Zarafa 6.04 RC 1 (11343)
• Zarafa 6.04 RC 2 (11489), released 2008-09-04
• Zarafa 6.04 Final (11575), released 2008-09-11
• Zarafa 6.05 Beta 1 (11869), released 2008-09-25
• Zarafa 6.05 RC 1 (12080), released 2008-10-09
• Zarafa 6.05 RC 2 (12224), released 2008-10-23
• Zarafa 6.05 Final (12338), released 2008-11-06

• Zarafa 6.10 Beta 1
• Zarafa 6.10 Beta 2 (9840), released 2008-03-20
• Zarafa 6.10 Beta 3 (9997), released 2008-04-03
• Zarafa 6.10 Beta 4 (10217), released 2008-04-29
• Zarafa 6.10 RC 1 (10228), released 2008-05-07
• Zarafa 6.10 RC 2 (10305), released 2008-05-23
• Zarafa 6.10 RC 3 (10535), released 2008-06-17
• Zarafa 6.10 Final, released 2008-07-08
• Zarafa 6.11 Beta 1
• Zarafa 6.11 Beta 2 (10897), released 2008-07-29
• Zarafa 6.11 RC 1 (11344), released 2008-08-22
• Zarafa 6.11 RC 2 (11490), released 2008-09-02
• Zarafa 6.11 Final (11612), released 2008-09-10
• Zarafa 6.12 Beta 1 (11955), released 2008-10-01
• Zarafa 6.12 RC 1 (12225), released 2008-11-21
• Zarafa 6.12 RC 2 (13060), released 2009-01-15
• Zarafa 6.12 Final (13060), released 2009-01-23

• Zarafa 6.20 Beta 1 (11098), released 2008-08-06
• Zarafa 6.20 Beta 2 (11647), released 2008-09-12
• Zarafa 6.20 Beta 3 (11749), released 2008-09-18
• Zarafa 6.20 Beta 4 (11804), released 2008-09-23
• Zarafa 6.20 Beta 5 (12487), released 2008-11-14
• Zarafa 6.20 Beta 6 (12710), released 2008-12-04
• Zarafa 6.20 RC 1 (12850), released 2008-12-16
• Zarafa 6.20 RC 2 (12993), released 2008-12-30
• Zarafa 6.20 RC 3 (13153), released 2009-01-12
• Zarafa 6.20 Final (13194), released 2009-01-16
• Zarafa 6.20.1 Unstable (13370), released 2009-01-24
• Zarafa 6.20.1 Final (13464), released 2009-02-03
• Zarafa 6.20.2 Beta (13556), released 2009-02-04
• Zarafa 6.20.2 Final (13651), released 2009-02-25
• Zarafa 6.20.3 Beta 1 (13831), released 2009-02-28
• Zarafa 6.20.3 Beta 2 (13865), released 2009-03-04
• Zarafa 6.20.3 Final (13865), released 2009-03-19
• Zarafa 6.20.4 Beta (14050), released 2009-03-22
• Zarafa 6.20.4 Final (14107), released 2009-04-03
• Zarafa 6.20.5 Beta 1 (14316), released 2009-04-08
• Zarafa 6.20.5 Beta 2 (14478), released 2009-04-23
• Zarafa 6.20.5 Final (14478), released 2009-04-28
• Zarafa 6.20.6 Beta 1 (14659), released 2009-05-05
• Zarafa 6.20.6 Beta 2 (14742), released 2009-05-12
• Zarafa 6.20.6 Beta 3 (14790), released 2009-05-18
• Zarafa 6.20.6 Final, released 2009-05-27
• Zarafa 6.20.7 Beta (15038), released 2009-06-09
• Zarafa 6.20.7 Final, released 2009-06-24
• Zarafa 6.20.8 Beta 1 (15498), released 2009-07-06
• Zarafa 6.20.8 Beta 2 (15555), released 2009-07-10
• Zarafa 6.20.8 Final (15686), released 2009-07-24
• Zarafa 6.20.9 Beta (16075), released 2009-08-05
• Zarafa 6.20.9 Final (16156)
• Zarafa 6.20.10 Beta 1 (16543), released 2009-09-01
• Zarafa 6.20.10 Beta 2 (16601), released 2009-09-07
• Zarafa 6.20.10 Final (16734), released 2009-09-24
• Zarafa 6.20.11 Beta (17080), released 2009-10-06
• Zarafa 6.20.11 Final (17604), released 2009-11-12
• Zarafa 6.20.12 Final (18389), released 2010-01-14
• Zarafa 6.20.13 Beta 1, released 2010-03-03
• Zarafa 6.20.13 Final (19023), released 2010-04-01

• Zarafa 6.30.0 Beta 1 (13713), released 2009-02-24
• Zarafa 6.30.0 Beta 2 (13995), released 2009-03-20
• Zarafa 6.30.0 Beta 3 (14291), released 2009-04-07
• Zarafa 6.30.0 RC 1a (14510), released 2009-04-25
• Zarafa 6.30.0 RC 1b (14609), released 2009-04-29
• Zarafa 6.30.0 RC 1c (14675), released 2009-05-07
• Zarafa 6.30.0 RC 1d (14757), released 2009-05-13
• Zarafa 6.30.0 RC 1e (14802), released 2009-05-18
• Zarafa 6.30.0 RC 1 (14802), released 2009-05-20
• Zarafa 6.30.0 RC 2 (15089), released 2009-06-13
• Zarafa 6.30.0 RC 3a (15217), released 2009-06-18
• Zarafa 6.30.0 RC 3b
• Zarafa 6.30.0 RC 3c (15472), released 2009-07-03
• Zarafa 6.30.0 RC 3 (15545), released 2009-07-08
• Zarafa 6.30.0 Final (15765), released 2009-07-23
• Zarafa 6.30.1 Beta (16054), released 2009-07-30
• Zarafa 6.30.1 Final (16192), released 2009-08-20
• Zarafa 6.30.2 Beta 1 (16415), released 2009-08-26
• Zarafa 6.30.2 Beta 2 (16493), released 2009-08-28
• Zarafa 6.30.2 Beta 3 (16545), released 2009-09-01
• Zarafa 6.30.2 Final (16545), released 2009-09-11
• Zarafa 6.30.3 Pre-Beta (16905), released 2009-09-24
• Zarafa 6.30.3 Beta (16954), released 2009-09-28
• Zarafa 6.30.3 Final (17192), released 2009-10-15
• Zarafa 6.30.4 Final (17264), released 2009-10-28
• Zarafa 6.30.5 Beta (17418), released 2009-10-27
• Zarafa 6.30.5 Final (17658), released 2009-11-18
• Zarafa 6.30.6 Beta 1, released 2009-12-04
• Zarafa 6.30.6 Final (18063), released 2009-12-16
• Zarafa 6.30.7 Beta 1, released 2009-12-24
• Zarafa 6.30.7 Final (18277), released 2010-01-06
• Zarafa 6.30.8 Final (18345), released 2010-01-12
• Zarafa 6.30.9 Final (18385), released 2010-01-14
• Zarafa 6.30.10 Beta 1 (18396), released 2010-01-15
• Zarafa 6.30.10 Beta 2, released 2010-01-27
• Zarafa 6.30.10 Final (18495), released 2010-02-02
• Zarafa 6.30.11 Beta 1 (18797), released 2010-02-15
• Zarafa 6.30.11 Beta 2, released 2010-02-24
• Zarafa 6.30.11 Final (18984), released 2010-03-02
• Zarafa 6.30.12 Final (19435), released 2010-03-19
• Zarafa 6.30.13 Beta 1, released 2010-04-01
• Zarafa 6.30.13 Beta 2, released 2010-04-15
• Zarafa 6.30.13 Final (19788), released 2010-04-21
• Zarafa 6.30.14 Final (20002), released 2010-04-28
• Zarafa 6.30.15 Beta 1 (20234), released 2010-05-14
• Zarafa 6.30.15 Beta 2 (21170), released 2010-06-28
• Zarafa 6.30.15 Final (21229), released 2010-07-20
• Zarafa 6.30.16 Beta 1 (21699), released 2010-07-29
• Zarafa 6.30.16 Beta 2 (21846), released 2010-08-05
• Zarafa 6.30.16 Final (21846), released 2010-08-31
• Zarafa 6.30.17 Beta 1 (23117), released 2010-10-01
• Zarafa 6.30.17 Beta 2 (23285), released 2010-10-15
• Zarafa 6.30.17 Final (23285), released 2010-10-29
• Zarafa 6.30.18 Beta 1 (23963), released 2010-12-03
• Zarafa 6.30.18 Beta 2 (24292), released 2010-12-17
• Zarafa 6.30.18 Final (24292), released 2010-12-20
• Zarafa 6.30.19 Beta 1 (24945), released 2011-01-28
• Zarafa 6.30.19 Final (25148), released 2011-02-10

• Zarafa 6.40.0 Alpha 1 (16056), released 2009-08-03
• Zarafa 6.40.0 Alpha 2 (16731), released 2009-09-14
• Zarafa 6.40.0 Alpha 3 (16832), released 2009-09-18
• Zarafa 6.40.0 Beta 1 (16858), released 2009-09-21
• Zarafa 6.40.0 Pre-Beta 2 (17469), released 2009-10-29
• Zarafa 6.40.0 Beta 2 (17498), released 2009-10-30
• Zarafa 6.40.0 Beta 3, released 2009-12-11
• Zarafa 6.40.0 RC 1 (18537), released 2010-01-26
• Zarafa 6.40.0 RC 2 (18871), released 2010-02-16
• Zarafa 6.40.0 RC 3 (19159), released 2010-03-08
• Zarafa 6.40.0 RC 4 (19574), released 2010-04-01
• Zarafa 6.40.0 RC 5 (19792), released 2010-04-16
• Zarafa 6.40.0 RC 6 (19899), released 2010-04-26
• Zarafa 6.40.0 RC 7 (20343), released 2010-05-14
• Zarafa 6.40.0 RC 8 (20419), released 2010-05-21
• Zarafa 6.40.0 RC 9 (20653), released 2010-06-02
• Zarafa 6.40.0 Final (20653), released 2010-06-09
• Zarafa 6.40.1 Beta 1 (21473), released 2010-07-20
• Zarafa 6.40.1 Beta 2 (21742), released 2010-07-30
• Zarafa 6.40.1 Final (21780), released 2010-08-05
• Zarafa 6.40.2 Beta 1 (22288), released 2010-08-20
• Zarafa 6.40.2 Beta 2 (22361), released 2010-08-25
• Zarafa 6.40.2 Final (22452), released 2010-08-31
• Zarafa 6.40.3 Beta 1 (22703), released 2010-09-10
• Zarafa 6.40.3 Beta 2 (23043), released 2010-09-29
• Zarafa 6.40.3 Beta 3 (23181), released 2010-10-07
• Zarafa 6.40.3 Beta 4 (23410), released 2010-10-22
• Zarafa 6.40.3 Final (23410), released 2010-10-27
• Zarafa 6.40.4 Beta 1 (23477), released 2010-11-11
• Zarafa 6.40.4 Beta 2 (23895), released 2010-11-19
• Zarafa 6.40.4 Beta 3 (24031), released 2010-11-26
• Zarafa 6.40.4 Beta 4 (24179), released 2010-12-07
• Zarafa 6.40.4 Final (24200), released 2010-12-03
• Zarafa 6.40.4 Final (24121), released 2010-12-10
• Zarafa 6.40.5 Beta 1 (24479), released 2010-12-28
• Zarafa 6.40.5 Beta 2 (24764), released 2011-01-14
• Zarafa 6.40.5 Final (24860), released 2011-01-25
• Zarafa 6.40.6 Beta 1, released 2011-02-08
• Zarafa 6.40.6 Beta 2, released 2011-02-28
• Zarafa 6.40.6 Final (25584), released 2011-03-10
• Zarafa 6.40.7 Beta 1, released 2011-03-23
• Zarafa 6.40.7 Final (26119), released 2011-03-29
• Zarafa 6.40.8 Beta 1, released 2011-05-06
• Zarafa 6.40.8 Final (27223), released 2011-05-20
• Zarafa 6.40.9 Beta 1 (27453), released 2011-06-06
• Zarafa 6.40.9 Final (27553), released 2011-06-08
• Zarafa 6.40.10 Beta 1, released 2011-07-11
• Zarafa 6.40.10 Final (28214), released 2011-07-21
• Zarafa 6.40.11 Beta 1 (28776), released 2011-08-19
• Zarafa 6.40.11 Final (289659, released 2011-08-31
• Zarafa 6.40.12 Beta 1 (29729), released 2011-10-10
• Zarafa 6.40.12 Final (29942), released 2011-10-20
• Zarafa 6.40.13 Beta 1 (30596), released 2011-11-21
• Zarafa 6.40.13 Beta 2 (30778), released 2011-12-01
• Zarafa 6.40.13 Final (30778), released 2011-12-08
• Zarafa 6.40.14 Beta 1 (31462), released 2012-01-06
• Zarafa 6.40.14 Final (31537), released 2012-01-19
• Zarafa 6.40.15 Beta 1 (33246), released 2012-03-29
• Zarafa 6.40.15 Final (33766), released 2012-04-12
• Zarafa 6.40.16 Final (34239), released 2012-05-04
• Zarafa 6.40.17 Beta 1 (35609), released 2012-07-05
• Zarafa 6.40.17 Final (35943), released 2012-07-19

• Zarafa 7.0.0 TP (23713), released 2010-11-05
• Zarafa 7.0.0 Alpha 1 (23713), released 2010-11-05
• Zarafa 7.0.0 Beta 1 (24488), released 2010-12-30
• Zarafa 7.0.0 Beta 2 (24874), released 2011-01-21
• Zarafa 7.0.0 Beta 3 (25734), released 2011-03-08
• Zarafa 7.0.0 RC 1 (26667), released 2011-04-21
• Zarafa 7.0.0 RC 2 (27588), released 2011-06-10
• Zarafa 7.0.0 Final (27791), released 2011-06-27
• Zarafa 7.0.1 Beta 1 (28354), released 2011-07-26
• Zarafa 7.0.1 Beta 2 (28479), released 2011-08-04
• Zarafa 7.0.1 Final (28479), released 2011-08-12
• Zarafa 7.0.2 Beta 1 (29238), released 2011-09-15
• Zarafa 7.0.2 Final (29470), released 2011-09-29
• Zarafa 7.0.3 Beta 1 (30283), released 2011-11-03
• Zarafa 7.0.3 Beta 2 (30383), released 2011-11-11
• Zarafa 7.0.3 Final (30515), released 2011-11-17
• Zarafa 7.0.4 Beta 1 (31042), released 2011-12-09
• Zarafa 7.0.4 Beta 2 (31131), released 2011-12-15
• Zarafa 7.0.4 Final (31235), released 2011-12-22
• Zarafa 7.0.5 Beta 1 (31699), released 2012-01-20
• Zarafa 7.0.5 Final (31880), released 2012-02-02
• Zarafa 7.0.6 Beta 1 (32585), released 2012-03-02
• Zarafa 7.0.6 Final (32752), released 2012-03-15
• Zarafa 7.0.7 Beta 1 (33784), released 2012-04-13
• Zarafa 7.0.7 Beta 2 (34052), released 2012-04-26
• Zarafa 7.0.7 Final (34256), released 2012-05-04
• Zarafa 7.0.8 Beta 1 (35040), released 2012-06-08
• Zarafa 7.0.8 Final (35178), released 2012-06-19
• Zarafa 7.0.9 Beta 1 (36013), released 2012-07-19
• Zarafa 7.0.9 Beta 2 (36190), released 2012-07-26
• Zarafa 7.0.9 Beta 3 (36358), released 2012-08-03
• Zarafa 7.0.9 Final (36358), released 2012-08-10
• Zarafa 7.0.10 Beta 1 (37262), released 2012-09-20
• Zarafa 7.0.10 Final (37482), released 2012-10-04
• Zarafa 7.0.11 Beta 1 (38406), released 2012-11-16
• Zarafa 7.0.11 Beta 2 (38914), released 2012-11-30
• Zarafa 7.0.11 Final (39120), released 2012-12-08
• Zarafa 7.0.12 Beta 1 (39988), released 2013-01-10
• Zarafa 7.0.12 Final (40336), released 2013-01-24
• Zarafa 7.0.13 Final (41388), released 2013-03-01
• Zarafa 7.0.14 Beta 1 (41924), released 2013-05-23
• Zarafa 7.0.14 Final (42060), released 2013-07-01
• Zarafa 7.0.15 Beta 1 (42582), released 2013-09-03
• Zarafa 7.0.15 Beta 2 (42658), released 2013-09-13
• Zarafa 7.0.15 Final (42709), released 2013-09-20

• Zarafa 7.1.0 Beta 1 (33926), released 2012-04-19
• Zarafa 7.1.0 Beta 2 (34517), released 2012-05-11
• Zarafa 7.1.0 Beta 3 (34833), released 2012-06-01
• Zarafa 7.1.0 RC 1 (35476), released 2012-06-29
• Zarafa 7.1.0 RC 2 (36025), released 2012-07-19
• Zarafa 7.1.0 RC 3 (36420), released 2012-08-09
• Zarafa 7.1.0 Final (36420), released 2012-08-23
• Zarafa 7.1.1 Beta 1 (37267), released 2012-09-20
• Zarafa 7.1.1 Beta 2 (37519), released 2012-10-04
• Zarafa 7.1.1 Final (37812), released 2012-10-19
• Zarafa 7.1.2 Beta 1 (38366), released 2012-11-15
• Zarafa 7.1.2 Beta 2 (38915), released 2012-11-30
• Zarafa 7.1.2 Final (39121), released 2012-12-08
• Zarafa 7.1.3 Beta 1 (39980), released 2013-01-10
• Zarafa 7.1.3 Final (40304), released 2013-01-24
• Zarafa 7.1.4 Final (41394), released 2013-03-01
• Zarafa 7.1.5 Beta 1 (41923), released 2013-05-23
• Zarafa 7.1.5 Final (42059), released 2013-07-01
• Zarafa 7.1.6 Beta 1 (42574), released 2013-09-03
• Zarafa 7.1.6 Beta 2 (42668), released 2013-09-13
• Zarafa 7.1.6 Final (42710), released 2013-09-20
• Zarafa 7.1.7 Final (42779), released 2013-10-03
• Zarafa 7.1.8 Beta 1 (42841), released 2013-10-10
• Zarafa 7.1.8 Beta 2 (43059), released 2013-11-08
• Zarafa 7.1.8 Beta 3 (43454), released 2013-12-20
• Zarafa 7.1.8 RC 1 (43691), released 2014-01-23
• Zarafa 7.1.8 Final (43801), released 2014-01-30
• Zarafa 7.1.8 Final R1 (44004), released 2014-02-20
• Zarafa 7.1.9 Beta 1 (44152), released 2014-03-12
• Zarafa 7.1.9 RC 1 (44268), released 2014-03-24
• Zarafa 7.1.9 Final (44333), released 2014-03-31
• Zarafa 7.1.10 Beta 1 (44846), released 2014-05-12
• Zarafa 7.1.10 RC 1 (44973), released 2014-05-26
• Zarafa 7.1.10 Final (44973), released 2014-06-03
• Zarafa 7.1.11 Beta 1 (45653), released 2014-08-07
• Zarafa 7.1.11 Final (45875), released 2014-08-26
• Zarafa 7.1.11 Final R1 (46050), released 2014-09-05
• Zarafa 7.1.12 Beta 1 (47484), released 2015-01-16
• Zarafa 7.1.12 Beta 2 (48455), released 2015-03-20
• Zarafa 7.1.12 Final (48726), released 2015-04-07
• Zarafa 7.1.12 Final R1 (49411), released 2015-05-08

Fixed versions

• Zarafa 7.2.0 Beta 1 (46984), released 2014-12-05
• Zarafa 7.2.0 Beta 1 (47004), released 2014-12-05
• Zarafa 7.2.0 Beta 2 (47829), released 2015-02-09
• Zarafa 7.2.0 Final (48204), released 2015-03-05

CVE information

The MITRE Corporation Common Vulnerabilities and Exposures (CVE) number CVE-2014-5448 was assigned on August 25, 2014. Currently, the following other identifications are known for this issue:

• MITRE CVE-2014-5448
• RSC-SA-2014-0005
• Zarafa ZCP-12667
• Red Hat RHBZ #1133439
• OSS-SEC 2014/Q3/444
• SecurityFocus BID-69365
• ISS X-Force 95452
• DFN-CERT-2014-1118

Disclosure timeline

• 2014-08-15: Initial vulnerability discovery
• 2014-08-24: Coordinated public disclosure
• 2014-08-25: Initial vendor notification, response and acknowledgement
• 2014-08-25: MITRE CVE assignment team assignes CVE name
• 2014-12-05: Vendor provides a fixed public beta/pre-release
• 2015-03-05: Vendor releases a fixed public final version

Credit

This vulnerability was discovered, analyzed and reported by Robert Scheck.

Legal notices

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an as is condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.