Hello Zimbra Friends, Customers & Partners,
Zimbra 9.0.0 “Kepler” Patch 22 and 8.8.15 “James Prescott Joule” Patch 29 are here.
Log4j zero-day exploit vulnerability
After intensive review and testing, Zimbra Development determined that the zero-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses Log4j version 1.2.16. The cause of the vulnerability is found in the lookup expression feature in Log4j versions 2.0 to 2.17.
Also, the Redhat (CVE-2021-4104) vulnerability does not affect the current Supported Zimbra Collaboration Server versions (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender and the ability to append configuration files. Zimbra does not use the JMSAppender.
We are in the process of upgrading Log4j and expect it to be completed within the first quarter of 2022
Zimbra 9.0.0 “Kepler” Patch 22
Patch 22 is here for the Zimbra 9.0.0 “Kepler” GA release, and it includes What’s New, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 9.0.0 Patch 22 installation on Red Hat and Ubuntu platforms.
Zimbra 8.8.15 “James Prescott Joule” Patch 29
Patch 29 is here for the Zimbra 8.8.15 “James Prescott Joule” GA release, and it includes What’s New, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 8.8.15 Patch 29 installation on Red Hat and Ubuntu platforms.
Note:
- For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands.
- You cannot revert to the previous ZCS release after you upgrade to the patch.
Take care and thanks,
Your Zimbra Team
Comments are closed.