Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

20140606: Zimbra Security Advisory on CVE-2014-0224 (CCS Injection Vulnerability)

On June 5, 2014 the OpenSSL project released a security advisory. CVE-2014-0224 can allow for a man-in-the-middle (MITM) attack to be carried out between a vulnerable client and vulnerable server. It is also important to note that Zimbra does not use DTLS nor do we have SSL_MODE_RELEASE_BUFFERS enabled.

The impact to Zimbra Collaboration Server is as follows:

  • ZCS 6 is not affected
  • ZCS 7 is not affected
  • ZCS 8 is affected

Specifically, nginx, postfix and OpenLDAP all link to OpenSSL shipped in ZCS8. Other components in the ZCS package also link to the openssl libraries, but the above three are the potentially Internet-facing services that would be attackable. All versions of ZCS8 as released today are vulnerable. ZCS7 is not vulnerable because it uses OpenSSL 1.0.0, which is not vulnerable.

If you are running a version prior to 8.0.3, your server is susceptible to other critical security vulnerabilities [reference: https://www.zimbra.com/forums/announcements/68752-urgency-security-fixes-bug-80338-bug-84547-a.html]. Please upgrade to a newer version first, then run this patch.

Zimbra has produced a patch for OpenSSL vulnerabily for versions 8.0.3 to 8.0.7. The patch downloads the correct and patched version of OpenSSL for the following versions and then installs the new package:

  • ZCS versions 8.0.3, 8.0.4, 8.0.5, 8.0.6, or 8.0.7
  • ZCA versions 8.0.3 or 8.0.4

The following patch instructions must be done on a per server basis:

  • As zimbra user:
zmcontrol stop
  • As root:
cd /tmp
wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
chmod a+rx zmopenssl-updater.sh
./zmopenssl-updater.sh
  • As zimbra user:
zmcontrol start

After a successful patch, ZCS 8.0.7 will be running 1.0.1h. To verify this, run the following as zimbra user:

openssl version

On an 8.0.7 patched system the result should be:

zimbra$ openssl version
OpenSSL 1.0.1h 5 Jun 2014

Earlier versions of ZCS will show other versions of OpenSSL - Zimbra patches the existing OpenSSL version appropriate to each ZCS version.

Continue to the next server and repeat the patch process.

Internet access from each node is required to run this patch automatically. The patch should be installed on all ZCS nodes, most importantly the proxies, MTAs and LDAP nodes.

Also, please note: if you upgrade to a GA release after patching, you would need to re-patch. For example, if you install this patch on ZCS 8.0.6, then upgrade to ZCS 8.0.7, you would need to re-patch against 8.0.7.

Finally, please note that the various Operating Systems are also vulnerable to this issue. The Zimbra patch will not update OS-level openssl libraries. It only updates the openssl package in /opt/zimbra.