[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HeartBleed, Zimbra 8.0.6 (and other versions likely) vulnerable.

Thanks for the update!

On Apr 8, 2014 12:46 PM, Thom O'Connor <thom@zimbra.com> wrote:
>
> Hello Hied-Admins, 
>
> Please do NOT use the manual method descHello Hied-Admins,

Please do NOT use the manual method described in the previous post to this list. Using the OS version of OpenSSL in ZCS can produce instability.

Please use this method of patching instead:
https://www.zimbra.com/forums/announcements/70921-critical-security-advisory-patch-openssl-heartbleed-vulnerability.html

Critical Security Advisory and Patch for OpenSSL Heartbleed Vulnerability

Zimbra Collaboration Server 8 is susceptible to the OpenSSL Heartbleed bug:

* http://heartbleed.com
* https://www.openssl.org/news/secadv_20140407.txt
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Specifically, nginx, postfix and OpenLDAP all link directly to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable. Only OpenSSL 1.0.1 and later are reported as being vulnerable.

Zimbra has produced an OpenSSL patch for versions 8.0.3 to 8.0.7. If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html], so you would please need to upgrade to a secure version first, then run this patch.

The patch is located here:
http://files.zimbra.com/downloads/security/zmopenssl-updater.sh

The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:
* ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
* ZCA versions 8.0.3 or 8.0.4

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Please note: this vulnerability is being reported as having existed and actively attacked since 2012. As such, the private SSL keys for your platform may already have been compromised. After patching, it is recommended to regenerate your SSL certificates and private keys. This is unfortunate, but the only way to ensure that an attacker cannot decrypt your SSL session data.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue if running OpenSSL 1.0.1. The Zimbra patch will not update OS-level openssl libraries - it only updates the openssl package in /opt/zimbra. For example:
* RHEL6_64 and UBUNTU12_64 both use OpenSSL 1.0.1 at the OS level and are affected
* SLES11_64 and UBUNTU10_64 use OpenSSL 0.9.8 at the OS level, so are not affected

Patching

The steps to patch are the following:

(as root)
1) wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh
 
 ---------------------
 [Generates the following output]
 Downloading patched openssl
 Validating patched openssl: success
 Backing up old openssl: complete
 Installing patched openssl: complete
 OpenSSL patch process complete.
 Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol
 restart
 ---------------------

(as user zimbra)
4) su - zimbra
5) zmcontrol restart

Manual Patching

If you don’t have Internet access, manually installing the patch would require the following steps:

1) Download the appropriate openssl build:

(as root)
cd /tmp
wget the correct version, from this list:
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz

The MD5 files are also available for verification purposes, here:
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/RHEL6_64/openssl-1.0.1d.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/SLES11_64/openssl-1.0.1d.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU10_64/openssl-1.0.1d.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.3_GA/openssl/UBUNTU12_64/openssl-1.0.1d.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.4_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.5_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/RHEL6_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/SLES11_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU10_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.6_GA/openssl/UBUNTU12_64/openssl-1.0.1e.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/RHEL6_64/openssl-1.0.1f.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/SLES11_64/openssl-1.0.1f.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU10_64/openssl-1.0.1f.tgz.md5sum
* http://files.zimbra.com/downloads/8.0.7_GA/openssl/UBUNTU12_64/openssl-1.0.1f.tgz.md5sum

(as root)
2) cd /opt/zimbra
3) mv openssl-OLDVERSION openssl-OLDVERSION.brokenheart
4) tar xfz /tmp/openssl-NEWVERSION.tgz

(as user zimbra)
5) su - zimbra
6) zmcontrol restart

Please let Zimbra know promptly if any problems or questions.

----- Original Message -----
> From: "Nathan" <lagern@lafayette.edu>
> To: "zimbra-hied-admins" <zimbra-hied-admins@sfu.ca>
> Sent: Tuesday, April 8, 2014 9:24:21 AM
> Subject: Re: HeartBleed, Zimbra 8.0.6 (and other versions likely) vulnerable.
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> In my dev environment, this fixes postfix as well.
> 
> 
> On 04/08/2014 11:16 AM, Nathan wrote:
> > Update.
> > 
> > on RHEL6 previous to 6.5, you need to apply the RedHat
> > openssl-1.0.1e-16.el6_5.7.x86_64 update from today.
> > 
> > Then do the work-around mentioned previously.
> > 
> > This also appears to affect postfix, its worth patching there too,
> > but i have not yet tested.
> > 
> > 
> > 
> > On 04/08/2014 11:03 AM, Nathan wrote:
> >> This is a very big deal.
> > 
> >> http://heartbleed.com
> >> https://bugzilla.zimbra.com/show_bug.cgi?id=88688
> > 
> > 
> >> The work-around in comment 19 works on rhel6.5.  I'm still
> >> working on a 6.4 fix, as thats what my zimbra servers are
> >> running.
> > 
> >> This, as far as I know, only applies to the proxy servers.  I am
> >>  testing against a stand-alone box now.
> > 
> >> Test your systems with:
> >> https://gist.github.com/takeshixx/10107280
> > 
> > 
> > 
> > 
> > 
> 
> - --
> - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426)
> System Administrator
> 11 Pardee Hall
> Lafayette College, Easton, PA 18042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlNEFKUACgkQsZqG4IN3sukNSQCfdqg6/RwDA1v9mu6oUHK23BOo
> w7IAn2TFJGuo1bIjJiBTmuFMTPvNn1z0
> =IHgD
> -----END PGP SIGNATURE-----
>