Page 1 of 2

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Thu Oct 16, 2014 7:13 am
by jorgedlcruz


Yesterday Google engineers published about one vulnerability in SSLv3 called POODLE (Padding Oracle On Downgraded Legacy Encryption). In words of Google, you can click in the Image for view the entire Google PDF about the issue:


 "SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue."


 







The Zimbra team was working hard yesterday after the Google announcement, and we wrote a Wiki Page for Fix this issue in Zimbra Collaboration 7.x, 8.0.x and 8.x. The Wiki page is in constant evolution and we will provide more information or steps, when we will test it before. Please, click here to go to the Wiki Page.


UPDATE 10/17/2014: Zimbra Official Blog article about POODLE - http://community.zimbra.com/zblogs/b/teamblog/archive/2014/10/16/poodle-and-sslv3


UPDATE 10/18/2014: The Wiki Page for the POODLE vulnerabilty, was updated with more information about POP3S and IMAPS, for now you can disable them if you have the Proxy Service enabled, if not, if you secure the HTTPS protocol is enough. SSLv3 will be deprecated in future releases. Please, keep tuned with the new information in the Wiki Article.


Update 10/22/2014: Partial Fix for our customers and users that are running 7.x version, please go to the Wiki Article and take a look.



Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Fri Oct 24, 2014 5:08 am
by metux
Wait a minute ... you're _seriously_ telling users to download / replace core files - completely aside the package management (therefore corrupting the system integritiy) and even http ?!



Just to get it straight: fetch a security update via a _completely_ insecure channel !



*FACEPALM*

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Fri Oct 24, 2014 6:54 am
by liverpoolfcfan
For ZCS 7.x "General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform." - This has never been the general recommendation. In fact were always told not to install it for standalone servers.



Is this now being recommended for all installations?



And if so, what is the procedure to add nginx onto an existing 7.x standalone server?



Do we need run an "upgrade install" to the same version, and install Proxy ?, Memcached ? - and are the basic configuration changes to allow zimbra to work through the proxy handled automatically by that "upgrade"?

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Fri Oct 24, 2014 1:23 pm
by jorgedlcruz

Hi  liverpoolfcfan,


We will fix this entire issue in Zimbra Collaboration 8.6 that is coming soon, here more information - https://bugzilla.zimbra.com/show_bug.cgi?id=96040


Also here have a good explanation about the Proxy service, and some recommendations for use even in Single-Node environments, take a look - http://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide


For now, in 7.x and 8.0.x if you want to fix the bug in POP3S and IMAPS, that for now any security issue affect to this protocols, I mean that is not totally secure, but what it is?


For install the Proxy in a existing environment for version 7, I'm searching good steps and I will share with you soon.



Best regards


Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Sat Oct 25, 2014 2:40 pm
by phoenix
The links in your post don't go anywhere unless they're copied & pasted.

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Sat Oct 25, 2014 2:49 pm
by jorgedlcruz
Fixed, thank you. I used the regular TinyMCE advanced editor, but for some reason didn't work.



Best regards

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Sun Oct 26, 2014 2:04 am
by phoenix

While I've got your attention, you might also like to get rid of this spam(mer) from the forums.


Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Sun Oct 26, 2014 6:08 am
by jorgedlcruz
Thank you phoenix,

We'll check, best regards.

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Mon Oct 27, 2014 2:27 am
by metux
[quote]

For ZCS 7.x "General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform." - This has never been the general recommendation. In fact were always told not to install it for standalone servers.

[/quote]



From a sw architect pov, I'd think about making the proxy a core component (even for single-node installs) and moving more things, eg. caching, SSL/cert handling, there - mailboxd then would just talk plain HTTP or fcgi. That way we would get rid of yet another difference between single and

multinode mode (in singlenode mode, the mailboxd has to do SSL, while in multinode mode it's not required).

Fixing the POODLE (SSLv3) vulnerability (ZCS 7.x, ZCS 8.0.x, ZCS 8.x)

Posted: Mon Oct 27, 2014 2:30 am
by metux
[quote]

We will fix this entire issue in Zimbra Collaboration 8.6 that is coming soon, here more information - https://bugzilla.zimbra.com/show_bug.cgi?id=96040

[/quote]





There's yet another bug in your forum software: it points that linked text to:



http://community.zimbra.com/collaboration/f/1884/p/1578932/editpost/



instead of:



https://bugzilla.zimbra.com/show_bug.cgi?id=96040



So, clicking on that link sends us to a page in the forum, telling "accesd denied".