Synacor Support is an infosec nightmare

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Arglex1
Posts: 20
Joined: Fri Sep 12, 2014 9:57 pm

Synacor Support is an infosec nightmare

Post by Arglex1 »

Am I nuts or does the support team seriously need security training? Does the Zimbra executive team even have a Security professional on board?

We run the latest Zimbra NE, fully patched. We have a patching policy and a formal patching schedule depending on the severity of the vuln. The latest log4j is one of many failures of the zimbra code team. Their statement is that they are not vulnerable to log4j attacks because the version of log4j in Zimbra NE is so far out of date that the vulnerable code never made it into prod Zimbra releases. Wow, that's nice that our systems are not vulnerable to that exact vuln, yet they stay waaaaay out of date and are vulnerable to many other exploits (see CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 to name a few). My Zimbra nodes sit at the top of my weekly scan reports and stay there.

For all of you sysadmins that made it this far, I hope you are using some sort of automated vulnerability scanning and have a SOC monitoring for active exploits. No, I'm not just complaining, I'm hoping to raise awareness. This is completely unacceptable. The Java Runtime Environment has more holes than swiss cheese among other items. I'm shocked that we don't see a lot more posts about hacked zimbra systems on these forums.

Note: We have opened many tickets with support (we have paid subscription). They do not give us a straight answer as to when they will patch any of these issues. Yeah, we only have 400 licenses and are a small client. I'm afraid we may be looking at a major migration to a cloud provider (the two big ones both suck but what can we do?).

In modern times, if a software provider is not patching CVEs, by security rating, according to a standard patching schedule, they will fall prey to malicious actors. Does Synacor even care?
mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: Synacor Support is an infosec nightmare

Post by mgarbin »

Hi ArgLex1,
did you search on zimbra commit?

https://github.com/Zimbra/zm-mailbox/pull/1215/files

As you can see they are working on it.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Synacor Support is an infosec nightmare

Post by phoenix »

mgarbin wrote:As you can see they are working on it.
Yes, but the problem with Synacor is their lack of openness and lack of involvement with the Open Source Community. They implied by posting there's no problem with log4j and ZCS by saying it's not affected by the most recent CVE and not mentioning all the previous versions that have problems. :shock: I'd call that security by obfuscation. :?
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Synacor Support is an infosec nightmare

Post by ghen »

mgarbin wrote:As you can see they are working on it.
Yes, they're now working on log4j because the spotlights are on it. But Zimbra ships dozens of Java libs, perl libs and other 3rd party components that haven't been updated for many (5+, 10+) years, all this is completely unmaintained and containing dozens of documented or undocumented vulnerabilities.
mgarbin
Posts: 35
Joined: Wed Jun 26, 2019 11:00 am

Re: Synacor Support is an infosec nightmare

Post by mgarbin »

ghen wrote:
mgarbin wrote:As you can see they are working on it.
Yes, they're now working on log4j because the spotlights are on it. But Zimbra ships dozens of Java libs, perl libs and other 3rd party components that haven't been updated for many (5+, 10+) years, all this is completely unmaintained and containing dozens of documented or undocumented vulnerabilities.
You're completely right for paid customer but if we are talking about opensource project ( or i misunderstood ), we are free to contribute with fix on theirs repos.
We can solve our problem only with action, helping the community and each others, pushing fix and code, complaining does not solve anything.
A solution to cover the new CVE on log4j is to remove unused classes ad described on every cve :

example
https://securityonline.info/cve-2022-23 ... ity-alert/

Code: Select all

zip -q -d log4j-*.jar org/apache/log4j/net/JMSSink.class
Arglex1
Posts: 20
Joined: Fri Sep 12, 2014 9:57 pm

Re: Synacor Support is an infosec nightmare

Post by Arglex1 »

mgarbin wrote:Hi ArgLex1,
did you search on zimbra commit?

https://github.com/Zimbra/zm-mailbox/pull/1215/files

As you can see they are working on it.
One issue they are working on. How about JRE? Here are some of the CVEs, many critical:
CVE-2013-0425, CVE-2013-0426, CVE-2013-0428, CVE-2013-0429, CVE-2013-0441, CVE-2013-0442, CVE-2013-0445, CVE-2013-0450, CVE-2013-0809, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1491, CVE-2013-1493, CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2420, CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2439, CVE-2013-2445, CVE-2013-2448, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743, CVE-2013-5782, CVE-2013-5802, CVE-2013-5809, CVE-2013-5814, CVE-2013-5817, CVE-2013-5829, CVE-2013-5830, CVE-2013-5842, CVE-2013-5843, CVE-2013-5850
Arglex1
Posts: 20
Joined: Fri Sep 12, 2014 9:57 pm

Re: Synacor Support is an infosec nightmare

Post by Arglex1 »

We are paying customers. Why do we pay for support if we need to have our dev team correct their code? What about when a new patch comes out and applies the old dependencies?
Arglex1
Posts: 20
Joined: Fri Sep 12, 2014 9:57 pm

Re: Synacor Support is an infosec nightmare

Post by Arglex1 »

More vulns if anyone is interested:

Apache: CVE-2021-44224 and CVE-2021-44790

PHP: CVE-2021-21707 and CVE-2021-21703

How about updates to those packages?
rainer_d
Advanced member
Advanced member
Posts: 86
Joined: Fri Sep 12, 2014 11:40 pm

Re: Synacor Support is an infosec nightmare

Post by rainer_d »

Not trying to defend them (ok, somewhat) - but it's a bit of an uphill battle there (for Synacor).

They can't use the distributions' packages, because they often use custom patches and add-ons that aren't standard on any or all of the OSs they support.

As a result, they would have to have a (much more) proactive (or aggressive if you want to say) approach at adopting upstream packages.

However, that could (and probably would) create huge challenges for QA.
They likely have their hands full doing QA for the code-changes they introduce - there may simply not be enough "time" to ingest changes by upstream software.
And that is ignoring for a moment they use stuff like MariaDB which is notoriously buggy and known for only fixing bugs in the latest release.

My backend servers count close to 200 zimbra-packages, there's a couple more on the front-end servers, so all counted maybe 250 packages.

In the end, they've created a sort-of "Mini-Linux-Distribution", but possibly without realizing at first, what kind of resources they might need the longer their release-cycle gets.

This is just my educated guess, watching from the sidelines.
Post Reply