What about CVE-2021-3449?

Ask questions about your setup or get help installing ZCS server (ZD section below).
rainer_d
Posts: 29
Joined: Fri Sep 12, 2014 11:40 pm

What about CVE-2021-3449?

Postby rainer_d » Wed Apr 14, 2021 9:14 am

Hi,

I opened a ticket for this, a bug was created (and the ticket subsequently closed) but it seems nothing is happening?

As Zimbra doesn't link to the "normal" OS libraries (which is understandable, given the complexities involved), we need to wait for Zimbra to patch their OpenSSL accordingly and provide a patch-release...



Rainer


User avatar
rleiker
Advanced member
Advanced member
Posts: 116
Joined: Tue Jan 07, 2020 8:23 pm
Location: Kansas City
Contact:

Re: What about CVE-2021-3449?

Postby rleiker » Wed Apr 14, 2021 5:12 pm

Opening a support case to report security vulnerabilities is 1 of 2 preferred options by Zimbra to report vulnerabilities. The other is to send an email to security@zimbra.com to report an issue. I cannot speak for the Zimbra developers, but I believe they use a combination of the CVSS score assigned to a vulnerability and the number of requests they receive from Zimbra admins to fix an issue, to determine its internal priority to fix.

Would you mind sharing the ZBUG number that you were given for this vulnerability?
rainer_d
Posts: 29
Joined: Fri Sep 12, 2014 11:40 pm

Re: What about CVE-2021-3449?

Postby rainer_d » Fri Apr 16, 2021 1:23 pm

ZBUG-2198

In the meantime, I received a report that openssl 1.0.2 (as apparently used in Zimbra, judging from the output of common/bin/openssl version) is not vulnerable.

https://cve.mitre.org/cgi-bin/cvename.c ... =2021-3449

Maybe someone should have updated the bug with this information (if it is indeed correct)?

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 7 guests