Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

This Forum is now locked

Zimbra Collaboration 8.8 Beta
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

This Forum is now locked

Postby jorgedlcruz » Thu Dec 14, 2017 4:03 pm

Hi guys,
As we have released Zimbra Collaboration 8.8, and now is GA, all the questions about new installations, migrations, suggestions, etc, should go to the regular Forums, however, you can still read all the Threads on this Forum.

Best regards


Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/

Return to “Zimbra Collaboration 8.8 Beta”

Who is online

Users browsing this forum: No registered users and 3 guests