Page 1 of 1

Updating OpenSSL for Zimbra 8.0.7.GA.6021 Network Edition

Posted: Mon Jan 04, 2016 1:49 pm
by mhlevy

Hi All,


Please let me begin by saying I am in no way any sort of an Open Source "expert," and can barely make my way around Linux, though I do try to learn as I go along.  My company is currently running Zimbra "Release 8.0.7.GA.6021.UBUNTU12.64 UBUNTU12_64 NETWORK edition, Patch 8.0.7_P2.," and while we have plans to update Zimbra to v8.6 a bit later on this year, we just went through a security audit, and we were severely "dinged" for SSL issues, including:


High:
OpenSSL 'ChangeCipherSpec' MiTM Vulnerability:  CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470

Medium:
SSL Version 2 and 3 Protocol Detection
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST): CVE-2011-3389
SSL RC4 Cipher Suites Supported (Bar Mitzvah): CVE-2013-2566, CVE-2015-2808
SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE): CVE-2014-3566

Low:
SSL Anonymous Cipher Suites Supported: CVE-2007-1858

We're running the distribution of OpenSSL that was installed by Zimbra (thought I do recall installing some patches,) so our version of OpenSSL is "OpenSSL 1.0.1f 6 Jan 2014."


Is there any way to update OpenSSL to a more "modern" version of OpenSSL, without upgrading Zimbra?  I have found and read a number of posts regarding "zmopenssl-updater.sh," but am I correct in the belief that the script only performs updates that have already been completed?


As I mentioned, we will be upgrading Zimbra, beginning later this year (probably around Summer,) but is there any way to mitigate the SSL issues that have been presented to us by our auditors to hold us over until then?



Thanks in advance,


Mark Levy