Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

Zimbra 8.8.15 patch 20 CVE rating 9.8

Official Zimbra news, events, releases, and updates.
Advanced member
Advanced member
Posts: 90
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Zimbra version doesn't fit in field

Zimbra 8.8.15 patch 20 CVE rating 9.8

Postby halfgaar » Wed Mar 31, 2021 8:51 am

By lack of announcement topic, I'm taking the liberty:

Zimbra Collaboration Joule 8.8.15 Patch 20 GA Release

I don't know what a joule is (aside from a unit of energy), but I guess it's a suite.

"Heap-based buffer overflow vulnerabilities in PHP < 7.3.10" has a 9.8 rating. "Upgraded Apache to 2.4.46 to avoid multiple vulnerabilities. " has a 7.8.

On my server, there are 59 Zimbra updates waiting.

Elite member
Elite member
Posts: 2477
Joined: Mon Dec 16, 2013 11:35 am

Re: Zimbra 8.8.15 patch 20 CVE rating 9.8

Postby Klug » Wed Mar 31, 2021 4:12 pm

Joule is the nickname of this ZCS version (8.8.15).

Return to “Announcements”

Who is online

Users browsing this forum: No registered users and 4 guests