[REPOST] Recent Zimbra XXE / SSRF Vulnerability Disclosure

This is a reposting of Rene’s original blog announcement on March 18, 2019. Please read and be sure that your Zimbra Patches are up-to-date!

Hello Zimbra Friends,


The Zimbra Security team has been working with security researcher An Trinh in advance of his recently-published blog post. In the blog, Trinh details his findings regarding a vulnerability which, if exploited, could allow an attacker to remotely execute code on an affected Zimbra system.

To secure supported versions of Zimbra (8.7 and 8.8)

  • Zimbra customers running versions of 8.8 must upgrade to 8.8.10 Patch 7 or 8.8.11 Patch 3
  • Zimbra customers running the long term support version (LTS) 8.7.11 must upgrade to 8.7.11 Patch 10

To secure unsupported version of Zimbra (8.6 and earlier)

  • Customers running 8.6 must upgrade to Patch 13 – This Patch is scheduled for release 19 March.
  • Older versions of Zimbra are vulnerable until they are upgraded to a supported version.

If you require guidance around your upgrade, please contact your Zimbra Partner or Zimbra Support for further information.

NOTE: Zimbra recommends that you always upgrade to the latest version of Zimbra to protect against possible security vulnerabilities.

Many thanks,

Rene Otto

Vice President Product eMail and Collaboration

, , , ,

4 Responses to [REPOST] Recent Zimbra XXE / SSRF Vulnerability Disclosure

  1. pb April 3, 2019 at 1:41 PM #

    If Zimbra 8.8.8 is installed, can i patch to 8.8.10 Patch 7 or 8.8.11 Patch 3 ?
    This is not clear, thank you

    • Gayle Billat April 17, 2019 at 7:23 PM #

      Hello – you need to upgrade to 8.8.10 or 8.8.11 … then install the latest patch for that version. Thanks!

  2. Juan April 30, 2019 at 4:01 PM #

    i have 8.8.12 an still have this issue

    • Gayle Billat April 30, 2019 at 4:46 PM #

      Hi Juan — the latest patch fixed this issue. Have you installed the latest patch? If you have, please open a case with Zimbra Support. Thanks!

Leave a Reply