OpenSSL Patch Update for ZCS 8.0.3 Only

OpenSSL Patch Update for ZCS 8.0.3 Only

Submitted by admin on Wed, 04/09/2014 - 15:56

Last updated on Wed, 04/09/2014 - 16:02

We’re sorry to have to do this, but if you patched for the OpenSSL Heartbleed vulnerability for Zimbra Collaboration Server 8.0.3 prior to Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, you will need to re-patch.

Please note: this is ONLY for ZCS 8.0.3. All other patches were fine, but the 8.0.3 openssl builds were still vulnerable. Repeating, this is only for ZCS 8.0.3.

Here is how you can check your build version:
$ zmcontrol -v
(look for "8.0.3")

Here is how you can check your OpenSSL version - only un-patched versions of OpenSSL 1.0.1 that are compiled with TLS Heartbeat support are vulnerable:
$ ls -ld /opt/zimbra/openssl*
lrwxrwxrwx 1 root root 26 Jan 17 16:04 /opt/zimbra/openssl -> /opt/zimbra/openssl-1.0.1d
drwxr-xr-x 6 root root 4096 Jan 17 16:03 /opt/zimbra/openssl-1.0.1d

Here is how you can confirm if your libssl library is vulnerable or not:

$ strings /opt/zimbra/openssl/lib/ | grep dtls1_heartbeat

Not Vulnerable:
$ strings /opt/zimbra/openssl/lib/ | grep dtls1_heartbeat

In order to re-patch, please download the latest version of the updater script and re-patch all Zimbra nodes (particularly those Internet-accessible, but all nodes should be patched):

(as root)
1) wget
2) chmod a+rx
3) ./
(as user zimbra)
4) su - zimbra
5) zmcontrol restart

The results should show the updater re-patching the system:

# ./
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart

If you were to run the updater again, it should then show the system as patched:
# ./
Error: Already patched

All 8.0.3 patching after Wed April 09, 2014, 11:00 Eastern/08:00 Pacific, should be fine, as the openssl builds on were updated to disable TLS Heartbeat. To double check, please use the “strings” method shown above.

The updater is also available here:

For additional information, please reference these instructions:

Login to post a comment
Supported By Jabetto