Logjam’s Impact on Zimbra Collaboration

Zimbra is aware of a newly disclosed SSL/TLS vulnerability that provides a potential malicious actor with a method to perform a Man-in-the-Middle (MitM) attack — the vulnerability is referred to as Logjam.

Similar to FREAK, this attack targets export-grade encryption, specifically Diffie-Hellman key exchanges.

For more information on the attack and how this applies to Zimbra, please head over to the security group.

**UPDATE**

For 8.0.x customers: In 8.0.x, Java 1.7 is used. Unfortunately, in Java 1.7, the DH parameters are hard-coded to 768 bits (excluding when using export cipher suites, which use 512 bits, but those should already be disabled). The workaround is to use the (Nginx) Proxy always. The other option is to disable all DHE suites. Which has the side effect of losing forward secrecy for any user agents that do not support ECDHE. (ref: http://blog.ivanristic.com/2014/03/ssl-tls-improvements-in-java-8.html

 

, , ,

3 Responses to Logjam’s Impact on Zimbra Collaboration

  1. x July 5, 2015 at 3:14 PM #

    And Zimbra 7?

    • Avatar photo
      Matthew Lewis July 6, 2015 at 11:02 AM #

      Hi, based on information from our security architect and from Jorge, the “Update” about Java applies to 7.x also.

    • Jorge de la Cruz July 9, 2015 at 8:24 AM #

      One of the best way to mitigate Logjam and others issues in Zimbra Collaboration is upgrade to the newest Zimbra Collaboration Releases, we have been wrote a detailed Wiki to mitigate Logjam and other Security issues in the different Zimbra Releases – https://wiki.zimbra.com/wiki/How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test

      Zimbra Collaboration 7.0.x is not included there, but you can try the steps for 8.0.x in your Zimbra Collaboration 7.0.x, do a Backup or snapshot first as usual.

      Let us know.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures