Supported Zimbra Versions Not Affected by 0-day Exploit Vulnerability for Log4j

Hello Zimbra Customers, Partners & Friends,

After intensive review and testing, Zimbra Development has determined that the 0-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). The current version of Log4j used in Zimbra is 1.2.16. The vulnerability occurs in log4j versions 2.0 and higher.

Thank you,

Your Zimbra Team

4 Responses to Supported Zimbra Versions Not Affected by 0-day Exploit Vulnerability for Log4j

  1. Valdy December 14, 2021 at 12:12 PM #

    Thanks for the update. Do you know if the Zimbra Connector Outlook (ZCO) use the Log4J by any chance?

    • Avatar photo
      Barry de Graaff December 22, 2021 at 3:30 AM #

      ZCO Connector does not use the Log4j library.

  2. Ioannis Chrysanthou December 15, 2021 at 2:41 AM #

    We have Zimbra Release 8.8.12_GA_3794.RHEL7_64_20190329045002 RHEL7_64 NETWORK edition, Patch 8.8.12_P6.

    Do you know if this version is affected by this vulnerability?

    • Avatar photo
      Barry de Graaff December 21, 2021 at 1:54 AM #

      Version 8.8.12 is out-of-date and unsupported, and you should update to a supported version of Zimbra

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures