ZCS Security Vulnerability Alert
We have recently discovered a possible vulnerability with Zimbra's Tomcat install. To prevent any possible vulnerability on your system we recommend that you follow the steps below to remove the host-manager and manager webapps from the Zimbra Tomcat install.
A remote, unauthenticated attacker may be able to deploy arbitrary code with user level privileges on a vulnerable system. ZCS 4.0.0 and greater are affected.
ZCS 4.5.5 will include the fix for this issue.
Check if you have the manager installed:
Move the server/webapps to a backup dir:
mv /opt/zimbra/tomcat/server/webapps/ /opt/zimbra/tomcat/server/webapps_old
Network Edition Customers: If you have any questions or would like assistance please contact Zimbra Support via the Support Portal.
su - zimbra
Open Source Users: If you have any questions or comments, please confine them to this thread. You may also pvt me(jholder), KevinH, Phoenix or any of our moderators with any security related questions.
To Léo Goehrs from Alionis.net for alerting us to this issue.
Zimbra takes security very seriously. If you ever believe that you have a security issue with Zimbra, you should always report it to a Zimbra Employee, rather than posting it in the forums.
The Zimbra Forums Team