Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Official Zimbra news, events, releases, and updates.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby jorgedlcruz » Thu Oct 16, 2014 7:13 am


Yesterday Google engineers published about one vulnerability in SSLv3 called POODLE (Padding Oracle On Downgraded Legacy Encryption). In words of Google, you can click in the Image for view the entire Google PDF about the issue:


 "SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."


 







The Zimbra team was working hard yesterday after the Google announcement, and we wrote a Wiki Page for Fix this issue in Zimbra Collaboration 7.x, 8.0.x and 8.x. The Wiki page is in constant evolution and we will provide more information or steps, when we will test it before. Please, click here to go to the Wiki Page.


UPDATE 10/17/2014: Zimbra Official Blog article about POODLE - http://community.zimbra.com/zblogs/b/teamblog/archive/2014/10/16/poodle-and-sslv3


UPDATE 10/18/2014: The Wiki Page for the POODLE vulnerabilty, was updated with more information about POP3S and IMAPS, for now you can disable them if you have the Proxy Service enabled, if not, if you secure the HTTPS protocol is enough. SSLv3 will be deprecated in future releases. Please, keep tuned with the new information in the Wiki Article.


Update 10/22/2014: Partial Fix for our customers and users that are running 7.x version, please go to the Wiki Article and take a look.




Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby metux » Fri Oct 24, 2014 5:08 am

Wait a minute ... you're _seriously_ telling users to download / replace core files - completely aside the package management (therefore corrupting the system integritiy) and even http ?!



Just to get it straight: fetch a security update via a _completely_ insecure channel !



*FACEPALM*
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 916
Joined: Sat Sep 13, 2014 12:47 am

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby liverpoolfcfan » Fri Oct 24, 2014 6:54 am

For ZCS 7.x "General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform." - This has never been the general recommendation. In fact were always told not to install it for standalone servers.



Is this now being recommended for all installations?



And if so, what is the procedure to add nginx onto an existing 7.x standalone server?



Do we need run an "upgrade install" to the same version, and install Proxy ?, Memcached ? - and are the basic configuration changes to allow zimbra to work through the proxy handled automatically by that "upgrade"?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby jorgedlcruz » Fri Oct 24, 2014 1:23 pm

Hi  liverpoolfcfan,


We will fix this entire issue in Zimbra Collaboration 8.6 that is coming soon, here more information - https://bugzilla.zimbra.com/show_bug.cgi?id=96040


Also here have a good explanation about the Proxy service, and some recommendations for use even in Single-Node environments, take a look - http://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide


For now, in 7.x and 8.0.x if you want to fix the bug in POP3S and IMAPS, that for now any security issue affect to this protocols, I mean that is not totally secure, but what it is?


For install the Proxy in a existing environment for version 7, I'm searching good steps and I will share with you soon.



Best regards

Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
phoenix
Ambassador
Ambassador
Posts: 26243
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby phoenix » Sat Oct 25, 2014 2:40 pm

The links in your post don't go anywhere unless they're copied & pasted.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby jorgedlcruz » Sat Oct 25, 2014 2:49 pm

Fixed, thank you. I used the regular TinyMCE advanced editor, but for some reason didn't work.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
phoenix
Ambassador
Ambassador
Posts: 26243
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby phoenix » Sun Oct 26, 2014 2:04 am

While I've got your attention, you might also like to get rid of this spam(mer) from the forums.

Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2769
Joined: Thu May 22, 2014 4:47 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby jorgedlcruz » Sun Oct 26, 2014 6:08 am

Thank you phoenix,

We'll check, best regards.
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby metux » Mon Oct 27, 2014 2:27 am

[quote]

For ZCS 7.x "General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform." - This has never been the general recommendation. In fact were always told not to install it for standalone servers.

[/quote]



From a sw architect pov, I'd think about making the proxy a core component (even for single-node installs) and moving more things, eg. caching, SSL/cert handling, there - mailboxd then would just talk plain HTTP or fcgi. That way we would get rid of yet another difference between single and

multinode mode (in singlenode mode, the mailboxd has to do SSL, while in multinode mode it's not required).
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Postby metux » Mon Oct 27, 2014 2:30 am

[quote]

We will fix this entire issue in Zimbra Collaboration 8.6 that is coming soon, here more information - https://bugzilla.zimbra.com/show_bug.cgi?id=96040

[/quote]





There's yet another bug in your forum software: it points that linked text to:



http://community.zimbra.com/collaboration/f/1884/p/1578932/editpost/



instead of:



https://bugzilla.zimbra.com/show_bug.cgi?id=96040



So, clicking on that link sends us to a page in the forum, telling "accesd denied".

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 1 guest