ZCS Security Problems
During a security assesment realized last week the auditors find and show some security problems in a report on my Zimbra production environment, published in the Web.
My team focus some days to fix the problems but some points of the report simply we canīt fix because we donīt find some parts of Zimbra that let the errors occurs.
Please, I want help to:
Disable HTTP Options Method from Joomla (I had modified both httpd.config that i find, but the method still appears on Nmap).
Change 404 and 403 Errors pages cause then show some technologies of my Server.
Thanks for Help!
Do you have specific reason to run ancient software instead of upgrading at certain intervals, say once every year?
Official support for Zimbra 5.x ended 16 months ago, and the last official release was 5.0.26: Zimbra Support Life Cycle Documentation; open source email, contacts, and group calendaring
Apache 2.2.3 was released in 2006, even oldstable debian has 2.2.9
Spank whoever was responsible for maintaining that system, take full system backup and migrate immediately would be my suggestion.
Kruon and other forums members:
Well, i donīt have a specifi reason to still run this version, but the cost of migration isnīt analyzed yet and i think my managers still only want this update as a last resource, trying to block the current security problems.
The forums members think the only thing I can do is perform a update of Zimbra? No Workaround or fix for my existing version of my Zimbra Suite?
I honestly don't know what to do with that specific issue you have. I'm puzzled though since even old versions of Zimbra don't run Joomla (a CMS) so whatever error that is, is a false positive.
You have more security problems than your audit will show by having such an out of date version so if you are concerned about security (and not just complying with a vulnerability scan), you really should update.
If I knew more specifics to tell you I would, but its been a while since I've run that Zimbra version myself and had not made any such changes when I did. The most I can think of is looking at /opt/zimbra/tomcat/conf files
Easier said than done...
We we've running 5.0x until a few months ago. Been pushing hard to update to 6 a year ago and eventually was able to go straight to 7.1.4 - 7.2 would not be looked at since it was out for not too long. However, we would not upgrade until our SAN was upgraded. Then, using the fact that zimbra 5.0x was out of support and RHEL4 was also out of support, once the SAN was upgraded (which included snapshot capabilities) we were able to upgrade to 7.1.4 under RHEL4, and now upgraded hardware and OS to RHEL6.
On top of this, our identinty provisioning system would not work with zimbra 6 nor 7. We were using perl API. It had to be redone in C Sharp.
12K accounts here btw.
Thanks for replies, guys :).
Well, if the upgrade is the only solution I will try to sell this idea to our IT manager and see if we reach a solution for the problem upgrading or thinking in others mail systems to accomplish this work.