Results 1 to 1 of 1

Thread: 20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

  1. #1
    Join Date
    Jul 2007
    Rep Power

    Default 20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

    20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)
    On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.

    The impact to Zimbra Collaboration Server is as follows:

    • ZCS 6 is not affected
    • ZCS 7 is not affected
    • ZCS 8 is affected

    Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.

    If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference:]. Please upgrade to a newer version first, then run this patch.

    Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

    • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
    • ZCA versions 8.0.3 or 8.0.4

    The following patch instructions must be done on a per server basis:

    • As zimbra user:

    zmcontrol stop
    • As root:

    cd /tmp
    chmod a+rx
    • As zimbra user:

    zmcontrol start
    After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:
    openssl version
    On an 8.0.7 patched system the result should be:
    zimbra$ openssl version
    OpenSSL 1.0.1h 5 Jun 2014
    Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.

    Continue to the next server and repeat the patch process.

    Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

    Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

    Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.
    Last edited by thom; 06-07-2014 at 05:58 PM.

Similar Threads

  1. Another OpenSSL advisory (5 June 2014)
    By mrevolution in forum Administrators
    Replies: 2
    Last Post: 06-05-2014, 10:11 AM
  2. Request: Emergency Security Fix for CVE-2014-0160
    By jafeha in forum Administrators
    Replies: 13
    Last Post: 04-09-2014, 01:32 PM
  3. Replies: 0
    Last Post: 04-08-2014, 09:39 AM
  4. Security Advisory: Zimbra Desktop
    By jholder in forum Announcements
    Replies: 0
    Last Post: 09-29-2008, 01:06 PM
  5. CLAMAV Security advisory: ver 0.88.3 and below
    By scottnelson in forum Administrators
    Replies: 1
    Last Post: 08-08-2006, 07:46 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts