Is Zimbra affected by Bash Shellshock?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

Is Zimbra affected by Bash Shellshock?

Postby bhwong » Mon Sep 29, 2014 5:14 am

Zimbra itself may not be vulnerable but the Linux OS it is running on will likely to have vulnerable bash version already installed. Will this mean that the server itself is vulnerable? How can we verify if Zimbra server is safe? As long as there is no web services running? What about SSH?



ploeger
Advanced member
Advanced member
Posts: 88
Joined: Thu Aug 07, 2014 8:40 am

Is Zimbra affected by Bash Shellshock?

Postby ploeger » Mon Sep 29, 2014 6:04 am

Well, you could just test out the usual Shellshock test by running:


env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

on your Zimbra server. If it says "vulnerable", you should simply update your bash version.


With that being said, I don't think, that the attack vector's that big. From what I know, Zimbra's mostly far away from running bash scripts as a result of a web request.

User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 312
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Is Zimbra affected by Bash Shellshock?

Postby tonster » Mon Sep 29, 2014 7:18 am

You should definitely update your OS, but we have not found Zimbra itself to be vulnerable to Shellshock. See http://community.zimbra.com/support/security/b/weblog/archive/2014/09/25/the-shellshock-flaw.

bhwong
Advanced member
Advanced member
Posts: 151
Joined: Thu Feb 27, 2014 8:40 pm

Is Zimbra affected by Bash Shellshock?

Postby bhwong » Mon Sep 29, 2014 11:21 pm

Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?



Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: http://leftyfb.com/2014/09/25/heres-how-to-patch-ubuntu-8-04-or-anything-where-you-have-to-build-bash-from-source/



Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?
ploeger
Advanced member
Advanced member
Posts: 88
Joined: Thu Aug 07, 2014 8:40 am

Is Zimbra affected by Bash Shellshock?

Postby ploeger » Tue Sep 30, 2014 5:12 am

[quote user="bhwong"]Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?[/quote]


Rarely. There's a possibility if you use force commands in SSH, where you could override this limitation. Basically, all services are vulnerable, that at one time use bash and allow the user to specify environment parameters. I won't vouch for it, but I'm not seeing Zimbra anywhere there. 



[quote user="bhwong"]Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: [View:http://leftyfb.com/2014/09/25/heres-how-to-patch-ubuntu-8-04-or-anything-where-you-have-to-build-bash-from-source/[/quote]:940:0]


Again, won't vouch for it, but it shouldn't bother Zimbra.



[quote user="bhwong"]Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?[/quote]


Yes. You'll have to rerun the setup and optional post-setup tasks, that you might have in your environment.


So it's definitely something, you should check in a development environment first!


Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 7 guests