Results 1 to 1 of 1

Thread: Critical Security Issue

  1. #1
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Exclamation Critical Security Issue

    DESCRIPTION:

    Zimbra has been made aware of a potentially critical security vulnerability in Zimbra Collaboration Suite. All released versions of ZCS Network Edition & Open Source Edition are impacted

    This vulnerability allows unauthorized, remote access to files that are readable by the "zimbra user" account on the ZCS Mailbox Server (also known as mailbox service, or "mailboxd"; "tomcat" on 4.5 versions and earlier).


    SOLUTION:

    Below you will find the installation instructions and a link to the patch file for your version of ZCS. Please note in order to apply this patch you are not required to fully upgrade your Zimbra server and if you have multiple servers, the patch needs to be applied to all servers running the ZCS Mailbox Server ("mailboxd" or "tomcat").

    This is a critical vulnerability and we recommend all customers patch their systems immediately.

    We would like to thank Hubert Seiwert, as well as John Stamatakis and Arjun Pednekar, for the discovery and reporting of the vulnerability.


    PATCH INSTRUCTIONS:

    First you must download the correct jar file for you ZCS installation. To determine your current ZCS version, as the zimbra user, run zmcontrol -v.
    • ZCS 4.0.x, 4.5.x, and 5.0.x use patch:
    • ZCS 6.0.x Beta use patch:
    For this patch to work correctly, the existing jar files must be saved to another directory. We recommend saving the existing jar files to /opt/zimbra/save-07012009.
    Note: Do not simply rename these files. These files must be moved to a new directory that is not one of the directories the mailbox server (mailboxd) Java VM and other command line tools load classes from. Failure to remove them from their current directory may invalidate the patch.
    ZCS Versions 4.0.x and 4.5.x

    1. [Perform command as zimbra]Stop the ZCS server. As the zimbra user, run zmcontrol stop:
    Code:
    zmcontrol stop
    2. [Perform commands as root, sudo] Use the script below to download the updated jar file and move the existing jar files to another directory, then replace them with the patched jar file:
    Code:
    cd /tmp;
    curl -O http://files.zimbra.com/downloads/security/dom4j-1.5.jar;
    mkdir /opt/zimbra/save-07012009/; 
    mv /opt/zimbra/apache-tomcat-5.5.15/webapps/service/WEB-INF/lib/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-service.jar;
    mv /opt/zimbra/apache-tomcat-5.5.15/webapps/zimbra/WEB-INF/lib/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-zimbra.jar;
    mv /opt/zimbra/lib/jars/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-lib.jar;
    cp /tmp/dom4j-1.5.jar /opt/zimbra/apache-tomcat-5.5.15/webapps/service/WEB-INF/lib/dom4j-1.5.jar;
    cp /tmp/dom4j-1.5.jar /opt/zimbra/apache-tomcat-5.5.15/webapps/zimbra/WEB-INF/lib/dom4j-1.5.jar
    cp /tmp/dom4j-1.5.jar /opt/zimbra/lib/jars/dom4j-1.5.jar;


    3. Ensure that the jar files are owned by the zimbra user, type the following as root:

    Code:
    chown zimbra:zimbra /opt/zimbra/apache-tomcat-5.5.15/webapps/service/WEB-INF/lib/dom4j-1.5.jar;
    chown zimbra:zimbra /opt/zimbra/apache-tomcat-5.5.15/webapps/zimbra/WEB-INF/lib/dom4j-1.5.jar;
    chown zimbra:zimbra /opt/zimbra/lib/jars/dom4j-1.5.jar;
    4. [Perform command as zimbra]Start the ZCS server. As the Zimbra user, run zmcontrol start:
    Code:
    zmcontrol start

    ZCS Version 5.0.x

    1. [Perform command as zimbra]Stop the ZCS server. As the zimbra user, run zmcontrol stop:
    Code:
    zmcontrol stop
    2. [Perform commands as root, sudo] Use the script below to download the updated jar file and move the existing jar files to another directory, then replace them with the patched jar file:

    Code:
    cd /tmp;
    curl -O http://files.zimbra.com/downloads/security/dom4j-1.5.jar;
    mkdir /opt/zimbra/save-07012009/; 
    mv /opt/zimbra/lib/jars/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-lib.jar;
    mv /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-common.jar;
    cp /tmp/dom4j-1.5.jar /opt/zimbra/lib/jars/dom4j-1.5.jar;
    cp /tmp/dom4j-1.5.jar /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar;
    3. [Perform commands as root, or sudo] Ensure that the jar files are owned by the zimbra user as root:

    Code:
    chown zimbra:zimbra /opt/zimbra/lib/jars/dom4j-1.5.jar
    chown zimbra:zimbra /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar
    4. [Perform command as zimbra]Start the ZCS server. As the Zimbra user, run zmcontrol start:
    Code:
    zmcontrol start


    ZCS Version 6.0.x


    1. [Perform command as zimbra]Stop the ZCS server. As the zimbra user, run zmcontrol stop:
    Code:
    zmcontrol stop
    2. [Perform commands as root, sudo] Use the script below to download the updated jar file and move the existing jar files to another directory, then replace them with the patched jar file:

    Code:
    cd /tmp;
    curl -O http://files.zimbra.com/downloads/security/dom4j-1.5.2.jar;
    mkdir /opt/zimbra/save-07012009/;
    mv /opt/zimbra/lib/jars/dom4j-1.5.2.jar /opt/zimbra/save-07012009/dom4j-1.5.2-lib.jar;
    mv /opt/zimbra/jetty-6.1.15/common/lib/dom4j-1.5.2.jar /opt/zimbra/save-07012009/dom4j-1.5.2-common.jar;
    cp /tmp/dom4j-1.5.2.jar /opt/zimbra/lib/jars/dom4j-1.5.2.jar;
    cp /tmp/dom4j-1.5.2.jar /opt/zimbra/jetty-6.1.15/common/lib/dom4j-1.5.2.jar;
    3. [Perform commands as root, or sudo] Ensure that the jar files are owned by the zimbra user as root:

    Code:
    chown zimbra:zimbra /opt/zimbra/lib/jars/dom4j-1.5.2.jar
    chown zimbra:zimbra /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.2.jar
    4. [Perform command as zimbra]Start the ZCS server. As the Zimbra user, run zmcontrol start:
    Code:
    zmcontrol start



    ISSUE HISTORY & PROCEDURES

    Yesterday, Zimbra notified the Zimbra Forum moderators as well as our Network Edition customers prior to posting the issue in these forums to provide larger customers additional time to patch their systems before an announcement was made. Please note if you are a customer and did not get a notification, please contact your account representative so that we can ensure you get these in the future.

    Zimbra takes the security of our users and their servers very seriously, and appreciate your patience and understanding. As a matter of Zimbra policy, all potential security issues that are result of vulnerabilities or exploits are immediately moderated until Zimbra support can verify their authenticity, and develop a proper course of action in order to protect users. Any of these posts and threads on this issue are now un-moderated, and merged here for search result accuracy.

    For more information on security reporting please review our wiki (Reporting Security Issues); - Zimbra :: Wiki also potential security issues should be reported to security@zimbra.com.

    If you have questions, feel free to post in our forums, or send a private message to any moderator. Zimbra customers should also use the to ask for help by filing tickets.


    We wish to also thank your moderator team who allowed us to prepare to notify you and keep our forums secure. Their service is invaluable.



    ZCS BINARY UPDATES:

    Please note, early next week new versions of ZCS Open Source and Network Edition will be available and will contain this patch plus more bug, security and feature enhancements. We do not advise waiting until then to apply this current patch.

    -Zimbra Team
    Last edited by jholder; 07-06-2009 at 10:55 AM.

Similar Threads

  1. 7-1-09 security patch
    By Hubert in forum Administrators
    Replies: 28
    Last Post: 07-05-2009, 10:09 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. Open Relay Help & Telnet Security Issue
    By OfMacAndMen in forum Installation
    Replies: 17
    Last Post: 07-10-2007, 07:51 PM
  4. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •