CVE-2020-7796
📋 TL;DR
This vulnerability in Zimbra Collaboration Suite allows Server-Side Request Forgery (SSRF) when the WebEx zimlet is installed and JSP functionality is enabled. Attackers can exploit this to make unauthorized requests from the Zimbra server to internal or external systems. Organizations running affected Zimbra versions with the WebEx zimlet are vulnerable.
💻 Affected Systems
- Zimbra Collaboration Suite
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the Zimbra server as a proxy to attack internal systems, access sensitive internal services, or perform data exfiltration through the compromised server.
Likely Case
Attackers scan for vulnerable Zimbra instances and use them to probe internal networks, potentially accessing metadata services, internal APIs, or other restricted resources.
If Mitigated
With proper network segmentation and egress filtering, the impact is limited to unsuccessful connection attempts and logged failed requests.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.8.15 Patch 7 or later
Vendor Advisory: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7
Restart Required: Yes
Instructions:
1. Backup your Zimbra installation and data. 2. Download and apply Patch 7 from Zimbra's official repository. 3. Restart Zimbra services. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Disable WebEx zimlet
linuxRemove or disable the WebEx zimlet to eliminate the vulnerable component
zmzimletctl disable com_zimbra_webex
zmzimletctl uninstall com_zimbra_webex
Disable JSP in zimlets
linuxConfigure Zimbra to disable JSP functionality for zimlets
zmlocalconfig -e zimbra_webex_jsp_enabled=false
zmcontrol restart
🧯 If You Can't Patch
- Implement strict network egress filtering to limit outbound connections from Zimbra servers
- Deploy web application firewall rules to block SSRF patterns and unusual outbound requests
🔍 How to Verify
Check if Vulnerable:
Check if WebEx zimlet is installed and Zimbra version is below 8.8.15 Patch 7Check Version:
zmcontrol -vVerify Fix Applied:
Verify Zimbra version is 8.8.15 Patch 7 or later and WebEx zimlet is either patched or disabled📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Zimbra server
- Requests to internal IP addresses or metadata services
- Failed authentication attempts from Zimbra server to internal systems
Network Indicators:
- Zimbra server making unexpected outbound connections
- Requests to cloud metadata endpoints (169.254.169.254, etc.)
- Traffic to internal services from Zimbra server
SIEM Query:
source="zimbra.log" AND ("webex" OR "jsp") AND ("169.254.169.254" OR "metadata" OR "internal")