Critical Security Advisory and Patch for OpenSSL Heartbleed Vulnerability
Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:
Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.
Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference: https://www.zimbra.com/forums/announ...-84547-a.html], so you would please need to upgrade to a secure version first, then run this patch.
The patch is located here:
The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
- ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
- ZCA versions 8.0.3 or 8.0.4
Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.
Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.
Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.
Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:
- RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected
- SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected
The steps to patch are the following:
1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
[Generates the following output]
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol
(as user zimbra)
4) su - zimbra
5) zmcontrol restart
If you don’t have Internet access, manually installing the patch would require the following steps:
Please let Zimbra know promptly if any problems or questions.