Difference between revisions of "Reporting Security Issues"

(Some content updates, but also refer more things over to the updated Security Center.)
 
Line 5: Line 5:
 
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}}}
 
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}}}
  
Zimbra Collaboration Suite, and its products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application.  
+
Zimbra Collaboration Suite and related products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application.  High priority issues will often be referenced in the [[Security Center]].
  
 
=Understanding Vulnerabilities=
 
=Understanding Vulnerabilities=
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services."  http://cve.mitre.org/
+
Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services."  https://cve.mitre.org/
  
This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." http://nvd.nist.gov/
+
This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." https://nvd.nist.gov/
  
 
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
 
The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).
  
 
=What You Can Do=
 
=What You Can Do=
If you read about a vulnerability within an application that Zimbra uses, you should search our [http://bugzilla.zimbra.com Bugzilla database] to see if the issue has been reported. If you do not see the issue, please file a bug. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, please feel free to send a note (whether Open Source or Network Edition customer) to support@ or security@ this domain. Please cite a reference when submitting a notification.
+
If you read about a vulnerability within an application that Zimbra uses, you should search [https://bugzilla.zimbra.com Zimbra Bugzilla] (bug database) to see if the issue has been reported. If you do not see the issue, see [[Reporting Vulnerabilities to Zimbra]] for ways to report vulnerabilities to Zimbra. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, feel free to send email as directed on that page. Please be sure to cite any appropriate references when submitting details a bug/ticket/email.
  
 
==When You Should Patch==
 
==When You Should Patch==
Zimbra usually does not recommend users directly patch any component within Zimbra Collaboration Suite. Performing such an action introduces a component which has not been QA'ed, and may result in an unstable system.
+
You should only apply official patches provided by Zimbra to Zimbra products.
  
Zimbra Network Edition customers are advised that self patching may result in your system not being eligible for Official Network Edition Support, and you may be directed to the Zimbra Forums.
+
Utilizing any non-official patches on Zimbra components may result in an unstable system.  Zimbra Network Edition customers are advised that use of non-official patches may result in your system not being eligible for Official Network Edition Support, and requests related to such systems may be directed to the Zimbra Forums.
 
 
You should only apply patches when provided officially by Zimbra.
 
  
 
=What Not To Do=
 
=What Not To Do=
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be moderated until we can look at it and determine if it's legitimate.
+
When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be held until a moderator can determine if the post is legitimate. Please consider following the recommendations in [[Reporting Vulnerabilities to Zimbra]].
 
 
  
 
=What Zimbra Will Do=
 
=What Zimbra Will Do=
 
 
Depending on the severity, Zimbra will take the following actions:
 
Depending on the severity, Zimbra will take the following actions:
  
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post the threat in our Support Portal. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is widely being exploited in the wild, Zimbra will issue a patch within a few days. Otherwise (for smaller issues), Zimbra will issue a patch on our regular release cycle. http://pm.zimbra.com/
+
If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post information related to the threat in our [https://support.zimbra.com Support Portal], in the [[Security Center]] and possibly in the [https://forums.zimbra.org Forums]. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is being widely/actively exploited, Zimbra may issue a one off patch in timely fashion to address the issue. Otherwise (for smaller issues), Zimbra will issue a patch on our usual release cycle.
 
 
After we are sure that our notice has been delivered to NE Customers, and we've given them time to assess and protect themselves, we will post a notice in our Forums to notify our Open Source Community. Notice is only published in our Forums for '''major''' threats, and you should not only rely on the forums for all notifications of all vulnerabilities.
 
 
 
We suggest that all customers subscribe to some sort of security mailing list to ensure that you're among the first to be notified.
 
  
=Zimbra PGP Keys=
+
Please reference our [[Zimbra Security Response Policy]] for details.  
pub  1024D/[http://files.zimbra.com/downloads/support/zimbra-security.gpg C089A521] 2009-07-09 Zimbra Security <security@zimbra.com>
 
  
pub  1024D/[http://files.zimbra.com/downloads/support/zimbra-support.gpg F7DCD42B] 2009-07-09 Zimbra Support <support@zimbra.com>
+
Customers may want to consider subscribing to various public security mailing list to help in being notified of emerging threats.
  
 
{{Article Footer|All Zimbra Collaboration versions|5/12/2008}}
 
{{Article Footer|All Zimbra Collaboration versions|5/12/2008}}
  
 
[[Category:Troubleshooting]]
 
[[Category:Troubleshooting]]

Latest revision as of 21:17, 7 September 2016

Reporting Security Issues

   KB 2432        Last updated on 2016-09-7  




0.00
(0 votes)

Zimbra Collaboration Suite and related products are made up of a wide variety of Third Party applications and libraries. On occasion, a vulnerability may be discovered in a Third Party product, or within the Zimbra core application. High priority issues will often be referenced in the Security Center.

Understanding Vulnerabilities

Usually when a vulnerability is discovered in within a Third Party application or library, a CVE Alert is issued. "CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services." https://cve.mitre.org/

This is usually mirrored by an alert in the National Vulnerability Database. "NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics." https://nvd.nist.gov/

The third party vendor is usually notified about a vulnerability before an alert is issued to give them time to issue a patch before it is exploited in the wild (however, this is not always the case).

What You Can Do

If you read about a vulnerability within an application that Zimbra uses, you should search Zimbra Bugzilla (bug database) to see if the issue has been reported. If you do not see the issue, see Reporting Vulnerabilities to Zimbra for ways to report vulnerabilities to Zimbra. If you believe that the threat is severe enough, and wish to communicate directly with Zimbra about the issue, feel free to send email as directed on that page. Please be sure to cite any appropriate references when submitting details a bug/ticket/email.

When You Should Patch

You should only apply official patches provided by Zimbra to Zimbra products.

Utilizing any non-official patches on Zimbra components may result in an unstable system. Zimbra Network Edition customers are advised that use of non-official patches may result in your system not being eligible for Official Network Edition Support, and requests related to such systems may be directed to the Zimbra Forums.

What Not To Do

When a threat is emerging, please do not post the threat details in our forums until a Zimbra Employee has looked at it. If a threat is posted that Zimbra has not assessed, the post will usually be held until a moderator can determine if the post is legitimate. Please consider following the recommendations in Reporting Vulnerabilities to Zimbra.

What Zimbra Will Do

Depending on the severity, Zimbra will take the following actions:

If the vulnerability/exploit poses an immediate threat to Zimbra and our customers, Zimbra usually will post information related to the threat in our Support Portal, in the Security Center and possibly in the Forums. If severe enough, we will send out a notification to Network Edition Customers via e-mail. The notice in the Support portal will contain reference links, as well as how to protect your deployment until Zimbra issues a patch. If the issue is being widely/actively exploited, Zimbra may issue a one off patch in timely fashion to address the issue. Otherwise (for smaller issues), Zimbra will issue a patch on our usual release cycle.

Please reference our Zimbra Security Response Policy for details.

Customers may want to consider subscribing to various public security mailing list to help in being notified of emerging threats.

Verified Against: All Zimbra Collaboration versions Date Created: 5/12/2008
Article ID: https://wiki.zimbra.com/index.php?title=Reporting_Security_Issues Date Modified: 2016-09-07



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search