Updating OpenSSL for Zimbra 8.0.7.GA.6021 Network Edition

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mhlevy
Advanced member
Advanced member
Posts: 59
Joined: Sat Sep 13, 2014 2:09 am
Location: Overland Park, KS USA
ZCS/ZD Version: Release 8.6.0.GA.1153.UBUNTU12.64 U

Updating OpenSSL for Zimbra 8.0.7.GA.6021 Network Edition

Postby mhlevy » Mon Jan 04, 2016 1:49 pm

Hi All,


Please let me begin by saying I am in no way any sort of an Open Source "expert," and can barely make my way around Linux, though I do try to learn as I go along.  My company is currently running Zimbra "Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 NETWORK edition, Patch 8.0.7_P2.," and while we have plans to update Zimbra to v8.6 a bit later on this year, we just went through a security audit, and we were severely "dinged" for SSL issues, including:


High:
OpenSSL 'ChangeCipherSpec' MiTM Vulnerability:  CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470

Medium:
SSL Version 2 and 3 Protocol Detection
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST): CVE-2011-3389
SSL RC4 Cipher Suites Supported (Bar Mitzvah): CVE-2013-2566, CVE-2015-2808
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE): CVE-2014-3566

Low:
SSL Anonymous Cipher Suites Supported: CVE-2007-1858

We're running the distribution of OpenSSL that was installed by Zimbra (thought I do recall installing some patches,) so our version of OpenSSL is "OpenSSL 1.0.1f 6 Jan 2014."


Is there any way to update OpenSSL to a more "modern" version of OpenSSL, without upgrading Zimbra?  I have found and read a number of posts regarding "zmopenssl-updater.sh," but am I correct in the belief that the script only performs updates that have already been completed?


As I mentioned, we will be upgrading Zimbra, beginning later this year (probably around Summer,) but is there any way to mitigate the SSL issues that have been presented to us by our auditors to hold us over until then?



Thanks in advance,


Mark Levy




________________________
Network Administrator
Overland Park, KS, USA
Release 8.6.0.GA.1153.UBUNTU12.64 UBUNTU12_64 NETWORK edition, Patch 8.6.0_P6.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 21 guests