Supported Zimbra Versions Not Affected by 0-day Exploit Vulnerability for Log4j

Hello Zimbra Customers, Partners & Friends,

After intensive review and testing, Zimbra Development has determined that the 0-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). The current version of Log4j used in Zimbra is 1.2.16. The vulnerability occurs in log4j versions 2.0 and higher.

Thank you,

Your Zimbra Team

4 Responses to Supported Zimbra Versions Not Affected by 0-day Exploit Vulnerability for Log4j

  1. Valdy December 14, 2021 at 12:12 PM #

    Thanks for the update. Do you know if the Zimbra Connector Outlook (ZCO) use the Log4J by any chance?

    • Barry de Graaff December 22, 2021 at 3:30 AM #

      ZCO Connector does not use the Log4j library.

  2. Ioannis Chrysanthou December 15, 2021 at 2:41 AM #

    We have Zimbra Release 8.8.12_GA_3794.RHEL7_64_20190329045002 RHEL7_64 NETWORK edition, Patch 8.8.12_P6.

    Do you know if this version is affected by this vulnerability?

    • Barry de Graaff December 21, 2021 at 1:54 AM #

      Version 8.8.12 is out-of-date and unsupported, and you should update to a supported version of Zimbra

Leave a Reply