We’re sorry to have to do this, but if you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.

Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.

Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")

Here is how you can check your OpenSSL version - only un-patched versions of OpenSSL 1.0.1 that are compiled with TLS Heartbeat support are vulnerable:
$ ls -ld /opt/zimbra/openssl*
lrwxrwxrwx 1 root root 26 Jan 17 16:04 /opt/zimbra/openssl -> /opt/zimbra/openssl-1.0.1d
drwxr-xr-x 6 root root 4096 Jan 17 16:03 /opt/zimbra/openssl-1.0.1d


Here is how you can confirm if your libssl library is vulnerable or not:

Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
dtls1_heartbeat
$


Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/libssl.so | grep dtls1_heartbeat
$


In order to re-patch, please download the latest version of the updater script and re-patch all Zimbra nodes (particularly those Internet-accessible, but all nodes should be patched):

(as root)
1) wget http://files.zimbra.com/downloads/se...ssl-updater.sh
2) chmod a+rx zmopenssl-updater.sh
3) ./zmopenssl-updater.sh
(as user zimbra)
4) su - zimbra
5) zmcontrol restart


The results should show the updater re-patching the system:

# ./zmopenssl-updater.sh
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart


If you were to run the updater again, it should then show the system as patched:
# ./zmopenssl-updater.sh
Error: Already patched
openssl-1.0.1e.brokenheart.46302


All 8.0.3 patching after Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, should be fine, as the openssl builds on files.zimbra.com were updated to disable TLS Heartbeat. To double check, please use the “strings” method shown above.

For additional information, please reference these instructions:
https://www.zimbra.com/forums/announ...erability.html