NEW Zimbra Patches: 9.0.0 Patch 23 + 8.8.15 Patch 30

Zimbra Patch Alert

Hello Zimbra Friends, Customers & Partners,

Zimbra 9.0.0 “Kepler” Patch 23 and 8.8.15 “James Prescott Joule” Patch 30 are here.

Log4j Zero-Day Exploit Vulnerability

After intensive review and testing, Zimbra Development determined that the zero-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the currently supported Zimbra versions (9.0.0 & 8.8.15). Zimbra currently uses Log4j version 1.2.16. The cause of the vulnerability is found in the lookup expression feature in Log4j versions 2.0 to 2.17.

Here are updates on the reported vulnerabilities:

  • CVE-2021-4104: This Red Hat vulnerability does not affect the currently supported Zimbra versions (8.8.15 & 9.0.0). For this vulnerability to affect Zimbra, it needs JMSAppender and the ability to append configuration files. Zimbra does not use the JMSAppender.
  • CVE-2022-23307: Zimbra is vulnerable but is not exploitable. To be exploited, the system must be running Chainsaw. It is included but is never running.
  • CVE-2022-23305: Zimbra is not vulnerable to this vulnerability, since it does not run the JDBCAppender.
  • CVE-2022-23302: Zimbra is not vulnerable to this vulnerability, since it does not run the JMSSink.

We are in the process of upgrading Log4j and expect it to be completed within the first quarter of 2022.

Zimbra 9.0.0 “Kepler” Patch 23

Patch 23 is here for the Zimbra 9.0.0 “Kepler” GA release, and it includes What’s New, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 9.0.0 Patch 23 installation on Red Hat and Ubuntu platforms.

Classic UI has had it, and now with Zimbra 9.0.0 Patch 23, Modern UI has it too: live collaboration and editing with Zimbra Docs in Briefcase. Read More »

Zimbra 8.8.15 “James Prescott Joule” Patch 30

Patch 30 is here for the Zimbra 8.8.15 “James Prescott Joule” GA release, and it includes What’s New, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 8.8.15 Patch 30 installation on Red Hat and Ubuntu platforms.

Note:

  • For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands.
  • You cannot revert to the previous Zimbra release after you upgrade to the patch.

Take care and thanks,
Your Zimbra Team

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures