Update … Supported Zimbra Versions Not Affected By Zero-Day Exploit Vulnerability for Log4j

Hi Zimbra Customers, Partner and Friends,

This is an update to our statement yesterday …

After intensive review and testing, Zimbra Development determined that the zero-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses Log4j version 1.2.16. The cause of the vulnerability is found in the lookup expression feature in Log4j versions 2.0 to 2.17.

Also, the Redhat (CVE-2021-4104) vulnerability does not affect the current Supported Zimbra Collaboration Server versions (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender and the ability to append configuration files. Zimbra does not use the JMSAppender.

We are in the process of upgrading Log4j and expect it to be completed within the first quarter of 2022.

Thank you,

Your Zimbra Team

10 Responses to Update … Supported Zimbra Versions Not Affected By Zero-Day Exploit Vulnerability for Log4j

  1. Ioannis Chrysanthou December 15, 2021 at 2:42 AM #

    We have Zimbra Release 8.8.12_GA_3794.RHEL7_64_20190329045002 RHEL7_64 NETWORK edition, Patch 8.8.12_P6.

    Do you know if this version is affected by this vulnerability?

    • Barry de Graaff December 21, 2021 at 1:54 AM #

      Version 8.8.12 is out-of-date and unsupported, and you should update to a supported version of Zimbra

  2. Arsha December 15, 2021 at 5:47 AM #

    Hi
    Could you please confirm Zimbra version 8.8.5 is vlnerable or not?

    • Barry de Graaff December 21, 2021 at 1:54 AM #

      Version 8.8.5 is out-of-date and unsupported, and you should update to a supported version of Zimbra

  3. Imran Khan A December 28, 2021 at 11:23 PM #

    HI Team,

    Could you please confirm, 8.8.15 Zimbra version affected for Log4j Vulnerable, update Log4j is released? Please confirm

    • Gayle Billat January 20, 2022 at 9:18 AM #

      Hi Imran – Version 8.8.15 is not vulnerable.

  4. David January 3, 2022 at 9:41 AM #

    for version 8.8.11 should I upgrade or is it vulnerable?

    happy New Year

    • Barry de Graaff January 20, 2022 at 11:09 AM #

      Happy New year to you as well, Version 8.8.11 is out-of-date and unsupported, and you should update to a supported version of Zimbra.

  5. Flávio Ricardo May 5, 2022 at 2:50 PM #

    the version of log4j that is running on my zimbra is 1.2.16. is this version vulnerable?

    • Barry de Graaff May 5, 2022 at 11:50 PM #

      If you use the latest version of Zimbra 8.8.15 or Zimbra 9.0.0, then you are not vulnerable.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures