Zimbra Security Vulnerability Report Update: July 2, 2009

Leave a reply

Zimbra has issued an update on the potential security risk found in versions 4.5 and earlier. MxToolBox recommends that all Zimbra users read the below notification and make the recommended changes.
Follow up message
Zimbra: the leader in next-generation messaging and collaboration
Greetings ,

This is a follow-up communication after yesterday’s initial security alert and contains additional information and resources for ZCS Network Edition and Open Source Edition users.
DESCRIPTION

Those who did not view the first alert should know Zimbra has been made aware of a potentially critical security vulnerability in Zimbra Collaboration Suite. All released versions of ZCS Network Edition and Open Source Edition are impacted.

This vulnerability allows unauthorized, remote access to files that are readable by the “zimbra user” account on the ZCS Mailbox Server (also known as mailbox service, “mailboxd”, or “tomcat” on versions 4.5 and earlier).
SOLUTION

A patch file has been provided already (see below); it does not require you to fully upgrade your Zimbra server, and if you have multiple servers, the patch needs to be applied to all servers running the ZCS Mailbox Server (“mailboxd”).

This is a critical vulnerability and we recommend all customers patch their systems immediately if not already done.

We would like to thank Hubert Seiwert, as well as John Stamatakis and Arjun Pednekar, for the discovery and reporting of the vulnerability.
LATEST PATCH FILE AND INSTALLATION INFORMATION

Zimbra customers should go to the Zimbra Support Portal for the latest installation instructions and patch file downloads. Customers can also create support tickets in the Portal if you need help or require more information from Zimbra.

https://support.zimbra.com
(please copy-and-paste this URL into your browser)

Contact your Zimbra sales representative if you do not have Support Portal access set up (sales@zimbra.com).

Customers and community members may visit the Zimbra Forums for similar download information and updated instructions.

http://www.zimbra.com/forums/announcements/30754-criticalsecurityissue.html
(please copy-and-paste this URL into your browser)

Sincerely

The Zimbra Support Team


MxToolBox is on Twitter! Make sure to follow us so that you stay up to date on any changes to our system, new blogs, new information etc.

Leave a Reply