Security Update: Zimbra not vulnerable to recent OpenSSL and Spring RCE Vulnerabilities

Hello Zimbra Friends, Customers & Partners,

New vulnerabilities in the OpenSSL and Spring Framework projects have been all over the news lately. The Zimbra Engineering team has spent some time digging into these issues to understand any potential impact to Zimbra. The good news is Zimbra does not appear to be affected by the recent issues.

 

OpenSSL Vulnerability (CVE-2022-0778)

   The Zimbra Engineering team has completed an audit of our software and runtime environment and determined that the default installation of Zimbra does not present an opportunity for this attack. An updated OpenSSL library will be included in the next scheduled Zimbra patch release based on the guidance provided by The OpenSSL Project Authors.

Spring RCE Vulnerability (CVE-2022-22965) 

    The Zimbra Engineering team has completed an audit of our software and runtime environment and has not been able to reproduce the exploit scenario as described. Given the evolving and broad nature of this issue, a patch is being created and will be available for download no later than Friday April 15th 2022.

[UPDATE: The Zimbra Engineering team is continuing to work the issues and has provided a revised date of Friday April 22nd for having a patch available.]

[UPDATE: The Zimbra Engineering team has released an update to Patch 24 on April 21st to address any possibility of exploiting the RCE vulnerability in the Spring Framework (CVE-2022-22965)]

We will continue to provide additional information if any becomes available here and on the Zimbra Security Center.

 

Thanks,

Your Zimbra Team

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures