[REPOST] Recent Zimbra XXE / SSRF Vulnerability Disclosure

This is a reposting of Rene’s original blog announcement on March 18, 2019. Please read and be sure that your Zimbra Patches are up-to-date!

Hello Zimbra Friends,

Background

The Zimbra Security team has been working with security researcher An Trinh in advance of his recently-published blog post. In the blog, Trinh details his findings regarding a vulnerability which, if exploited, could allow an attacker to remotely execute code on an affected Zimbra system.

To secure supported versions of Zimbra (8.7 and 8.8)

  • Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
  • Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10

To secure unsupported version of Zimbra (8.6 and earlier)

  • Customers running 8.6 must upgrade to Patch 13 – This Patch is scheduled for release 19 March.
  • Older versions of Zimbra are vulnerable until they are upgraded to a supported version.

If you require guidance around your upgrade, please contact your Zimbra Partner or Zimbra Support for further information.

NOTE: Zimbra recommends that you always upgrade to the latest version of Zimbra to protect against possible security vulnerabilities.

Many thanks,

Rene Otto

Vice President Product eMail and Collaboration

, , , ,

15 Responses to [REPOST] Recent Zimbra XXE / SSRF Vulnerability Disclosure

  1. pb April 3, 2019 at 1:41 PM #

    If Zimbra 8.8.8 is installed, can i patch to 8.8.10 Patch 7 or 8.8.11 Patch 3 ?
    This is not clear, thank you

    • Gayle Billat April 17, 2019 at 7:23 PM #

      Hello – you need to upgrade to 8.8.10 or 8.8.11 … then install the latest patch for that version. Thanks!

  2. Juan April 30, 2019 at 4:01 PM #

    i have 8.8.12 an still have this issue

    • Gayle Billat April 30, 2019 at 4:46 PM #

      Hi Juan — the latest patch fixed this issue. Have you installed the latest patch? If you have, please open a case with Zimbra Support. Thanks!

  3. SN May 20, 2019 at 2:45 PM #

    Hi Gayle,

    We have open source version zcs-8.7.10_GA_1829, which version patch we need to apply and how to do without impact for running server?

    Thanks,
    SN

  4. Thomas May 24, 2019 at 11:23 AM #

    8.8.9 is not mentioned in the post.

    Is 8.8.9 Patch 10 considered secure?

    • Gayle Billat June 17, 2019 at 11:39 PM #

      Hi Thomas – yes, 8.8.9 Patch 10 is secure. Thanks

  5. Yusuf June 1, 2019 at 9:48 AM #

    My zimbra is 8.6.0_GA_1153.NETWORK Dec 15, 2014, which update can I implement for my server?

    • Gayle Billat June 11, 2019 at 1:44 AM #

      Hi Yusuf – Zimbra 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.

  6. Rolf June 2, 2019 at 11:11 PM #

    I’m running 8.6.0 P4. Can I upgrade using the 8.6 patch 13 without installing the intermediate versions between P4 and P13?

    • Gayle Billat June 11, 2019 at 1:45 AM #

      Hi Rolf – Zimbra 8.6.0 is no longer supported. To stay current with security fixes, please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.

  7. funifuni June 8, 2019 at 8:25 PM #

    Will the next LTS, that is ZCS8.8.15(joule) correspond to RHEL8 or not?

    • Gayle Billat June 18, 2019 at 5:40 PM #

      Hi – We will not be supporting RHEL8 with Zimbra 8.8.15, but support for RHEL8 may be added in Q4 2019. Thanks

  8. MBF August 9, 2019 at 2:18 PM #

    Hi Yusuf – Zimbra 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures