Hello Zimbra Friends, Customers & Partners,
New vulnerabilities in the OpenSSL and Spring Framework projects have been all over the news lately. The Zimbra Engineering team has spent some time digging into these issues to understand any potential impact to Zimbra. The good news is Zimbra does not appear to be affected by the recent issues.
OpenSSL Vulnerability (CVE-2022-0778)
The Zimbra Engineering team has completed an audit of our software and runtime environment and determined that the default installation of Zimbra does not present an opportunity for this attack. An updated OpenSSL library will be included in the next scheduled Zimbra patch release based on the guidance provided by The OpenSSL Project Authors.
Spring RCE Vulnerability (CVE-2022-22965)
The Zimbra Engineering team has completed an audit of our software and runtime environment and has not been able to reproduce the exploit scenario as described. Given the evolving and broad nature of this issue, a patch is being created and will be available for download no later than
Friday April 15th 2022.
[UPDATE: The Zimbra Engineering team is continuing to work the issues and has provided a revised date of Friday April 22nd for having a patch available.]
[UPDATE: The Zimbra Engineering team has released an update to Patch 24 on April 21st to address any possibility of exploiting the RCE vulnerability in the Spring Framework (CVE-2022-22965)]
We will continue to provide additional information if any becomes available here and on the Zimbra Security Center.
Your Zimbra Team