This is a reposting of Rene’s original blog announcement on March 18, 2019. Please read and be sure that your Zimbra Patches are up-to-date!
Hello Zimbra Friends,
Background
The Zimbra Security team has been working with security researcher An Trinh in advance of his recently-published blog post. In the blog, Trinh details his findings regarding a vulnerability which, if exploited, could allow an attacker to remotely execute code on an affected Zimbra system.
To secure supported versions of Zimbra (8.7 and 8.8)
- Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
- Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10
To secure unsupported version of Zimbra (8.6 and earlier)
- Customers running 8.6 must upgrade to Patch 13 – This Patch is scheduled for release 19 March.
- Older versions of Zimbra are vulnerable until they are upgraded to a supported version.
If you require guidance around your upgrade, please contact your Zimbra Partner or Zimbra Support for further information.
NOTE: Zimbra recommends that you always upgrade to the latest version of Zimbra to protect against possible security vulnerabilities.
Many thanks,
Rene Otto
Vice President Product eMail and Collaboration
If Zimbra 8.8.8 is installed, can i patch to 8.8.10 Patch 7 or 8.8.11 Patch 3 ?
This is not clear, thank you
Hello – you need to upgrade to 8.8.10 or 8.8.11 … then install the latest patch for that version. Thanks!
i have 8.8.12 an still have this issue
Hi Juan — the latest patch fixed this issue. Have you installed the latest patch? If you have, please open a case with Zimbra Support. Thanks!
Hi Gayle,
We have open source version zcs-8.7.10_GA_1829, which version patch we need to apply and how to do without impact for running server?
Thanks,
SN
Hi SN – the response from Zimbra Support is:
You need to upgrade from 8.7.10 to 8.7.11 and install patch 11. Doing a system upgrade will take down the system, but you can limit the downtime by doing a rolling upgrade. https://wiki.zimbra.com/wiki/Rolling_Upgrades_Overview
Thanks
8.8.9 is not mentioned in the post.
Is 8.8.9 Patch 10 considered secure?
Hi Thomas – yes, 8.8.9 Patch 10 is secure. Thanks
My zimbra is 8.6.0_GA_1153.NETWORK Dec 15, 2014, which update can I implement for my server?
Hi Yusuf – Zimbra 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.
I’m running 8.6.0 P4. Can I upgrade using the 8.6 patch 13 without installing the intermediate versions between P4 and P13?
Hi Rolf – Zimbra 8.6.0 is no longer supported. To stay current with security fixes, please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.
Will the next LTS, that is ZCS8.8.15(joule) correspond to RHEL8 or not?
Hi – We will not be supporting RHEL8 with Zimbra 8.8.15, but support for RHEL8 may be added in Q4 2019. Thanks
Hi Yusuf – Zimbra 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.