Zimbra has issued an update on the potential security risk found in versions 4.5 and earlier. MxToolBox recommends that all Zimbra users read the below notification and make the recommended changes.
Greetings ,
This is a follow-up communication after yesterday’s initial security alert and contains additional information and resources for ZCS Network Edition and Open Source Edition users.
DESCRIPTION
Those who did not view the first alert should know Zimbra has been made aware of a potentially criticalsecurity vulnerability in Zimbra Collaboration Suite. All released versions of ZCS Network Edition and Open Source Edition are impacted.
This vulnerability allows unauthorized, remote access to files that are readable by the “zimbra user” account on the ZCS Mailbox Server (also known as mailbox service, “mailboxd”, or “tomcat” on versions 4.5 and earlier).
SOLUTION
A patch file has been provided already (see below); it does not require you to fully upgrade your Zimbra server, and if you have multiple servers, the patch needs to be applied to all servers running the ZCS Mailbox Server (“mailboxd”).
This is a critical vulnerability and we recommend all customers patch their systems immediately if not already done.
We would like to thank Hubert Seiwert, as well as John Stamatakis and Arjun Pednekar, for the discovery and reporting of the vulnerability.
LATEST PATCH FILE AND INSTALLATION INFORMATION
Zimbra customers should go to the Zimbra Support Portal for the latest installation instructions and patch file downloads. Customers can also create support tickets in the Portal if you need help or require more information from Zimbra.