Is Zimbra affected by Bash Shellshock?
Is Zimbra affected by Bash Shellshock?
Zimbra itself may not be vulnerable but the Linux OS it is running on will likely to have vulnerable bash version already installed. Will this mean that the server itself is vulnerable? How can we verify if Zimbra server is safe? As long as there is no web services running? What about SSH?
Is Zimbra affected by Bash Shellshock?
Well, you could just test out the usual Shellshock test by running:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
on your Zimbra server. If it says "vulnerable", you should simply update your bash version.
With that being said, I don't think, that the attack vector's that big. From what I know, Zimbra's mostly far away from running bash scripts as a result of a web request.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
on your Zimbra server. If it says "vulnerable", you should simply update your bash version.
With that being said, I don't think, that the attack vector's that big. From what I know, Zimbra's mostly far away from running bash scripts as a result of a web request.
-
tonster
- Zimbra Employee
- Posts: 313
- Joined: Fri Feb 21, 2014 10:14 am
- Location: Ypsilanti, MI
- ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016
Is Zimbra affected by Bash Shellshock?
You should definitely update your OS, but we have not found Zimbra itself to be vulnerable to Shellshock. See http://community.zimbra.com/support/sec ... shock-flaw.
Is Zimbra affected by Bash Shellshock?
Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?
Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: http://leftyfb.com/2014/09/25/heres-how ... om-source/
Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?
Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: http://leftyfb.com/2014/09/25/heres-how ... om-source/
Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?
Is Zimbra affected by Bash Shellshock?
[quote user="bhwong"]Thanks! So the vulnerable can only happen thru web request and not SSH or any other services?[/quote]
Rarely. There's a possibility if you use force commands in SSH, where you could override this limitation. Basically, all services are vulnerable, that at one time use bash and allow the user to specify environment parameters. I won't vouch for it, but I'm not seeing Zimbra anywhere there.
[quote user="bhwong"]Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: [View:http://leftyfb.com/2014/09/25/heres-how ... om-source/[/quote]:940:0]
Again, won't vouch for it, but it shouldn't bother Zimbra.
[quote user="bhwong"]Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?[/quote]
Yes. You'll have to rerun the setup and optional post-setup tasks, that you might have in your environment.
So it's definitely something, you should check in a development environment first!
Rarely. There's a possibility if you use force commands in SSH, where you could override this limitation. Basically, all services are vulnerable, that at one time use bash and allow the user to specify environment parameters. I won't vouch for it, but I'm not seeing Zimbra anywhere there.
[quote user="bhwong"]Unfortunately our Ubuntu 8 no longer has any update, less for Bash. There is a solution provided but not sure if this will break Zimbra: [View:http://leftyfb.com/2014/09/25/heres-how ... om-source/[/quote]:940:0]
Again, won't vouch for it, but it shouldn't bother Zimbra.
[quote user="bhwong"]Or I could take this opportunity to upgrade Ubuntu to 10, but I will need to reinstall Zimbra 7 for Ubuntu 10 right?[/quote]
Yes. You'll have to rerun the setup and optional post-setup tasks, that you might have in your environment.
So it's definitely something, you should check in a development environment first!