CVE-2022-41352: 
Zimbra Collaboration Server vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-41352) was discovered in Zimbra Collaboration (ZCS) versions 8.8.15 and 9.0. The vulnerability allows attackers to upload arbitrary files through Amavis via a cpio loophole, which can lead to unauthorized access to other user accounts. The issue was first reported on September 10, 2022, when a security incident was detected on a fully patched Zimbra instance (Zimbra Forums).

The vulnerability exists in the Amavis component of Zimbra, specifically in how it uses the cpio utility to extract archives. The issue stems from an underlying vulnerability (CVE-2015-1197) in cpio that allows directory traversal through specially crafted archives containing symbolic links. When Amavis inspects email attachments, it uses cpio to extract files, which can be exploited to place files at arbitrary locations in the filesystem, including the webmail component's public directories (Securelist).

Successful exploitation allows attackers to write to any path on the filesystem that the Zimbra user can access, most commonly resulting in webshell deployment in the web root to gain remote code execution. This can lead to unauthorized access to any user accounts and potential complete system compromise (Rapid7).

Prior to the patch release, Zimbra recommended installing the pax utility as a workaround, as Amavis automatically prefers pax over cpio when available. For Ubuntu systems, pax is installed by default. For CentOS/RHEL systems, it can be installed via 'yum install pax' or 'dnf install spax'. After installation, Zimbra services must be restarted. Zimbra later released a patch in version 9.0.0 P27 on October 10, 2022, which addresses this vulnerability (Rapid7).