ZCS Security Vulnerability Alert
I. Description
We have recently discovered a possible vulnerability with Zimbra's Tomcat install. To prevent any possible vulnerability on your system we recommend that you follow the steps below to remove the host-manager and manager webapps from the Zimbra Tomcat install.
II. Impact
A remote, unauthenticated attacker may be able to deploy arbitrary code with user level privileges on a vulnerable system. ZCS 4.0.0 and greater are affected.
ZCS 4.5.5 will include the fix for this issue.
III. Solution
Check if you have the manager installed:
ls /opt/zimbra/tomcat/server/webapps
host-manager manager
Move the server/webapps to a backup dir:
mv /opt/zimbra/tomcat/server/webapps/ /opt/zimbra/tomcat/server/webapps_old
Restart Tomcat:
su - zimbra
tomcat restart
Network Edition Customers: If you have any questions or would like assistance please contact Zimbra Support via the Support Portal.
Open Source Users: If you have any questions or comments, please confine them to this thread. You may also pvt me(jholder), KevinH, Phoenix or any of our moderators with any security related questions.
Special Thanks
To Léo Goehrs from Alionis.net for alerting us to this issue. Zimbra takes security very seriously. If you ever believe that you have a security issue with Zimbra, you should always report it to a Zimbra Employee, rather than posting it in the forums.
Best,The Zimbra Forums Team
Bugzilla
Wiki
Source
Security Vulnerability Alert 
Linear Mode
