Hi
Im on Zimbra 8.8.10, on Centos7.
I thought this was the last free version. IDK.
No further updates of zimbra are available via 'yum update'
(Package zimbra-common-core-jar-8.8.10.1554634214-1.r7.x86_64 already installed and latest version)
I received a note from the abuse service at Hetzner where I run my mailserver, which says:
------------8<-----------
Researchers from DIVD (https://divd.nl) have identified a **potentially vulnerable** Zimbra Collaboration (ZCS) instance within your network. We have not performed any active testing to confirm whether the instance is vulnerable; instead, our assessment is based on the fact that your HTTP instance reports an outdated version of Zimbra, which may be susceptible to a known vulnerability in the postjournal service. This vulnerability is identified as CVE-2024-45519 and could potentially allow unauthenticated users to execute commands remotely.
>
> Zimbra has released multiple patches to address this vulnerability. You can find the advisory and the patches at the Zimbra Security Center: https://wiki.zimbra.com/wiki/Security_Center
------------8<-----------
Can anyone suggest/advise a relatively painless way forward?
thanks,
Am I stuck - where to from 8.8.10?
Re: Am I stuck - where to from 8.8.10?
Zimbra 8.8.10 is already >5 years out of support (see here), and contains several critical security vulnerabilities which have seen Internet-wide exploitation.
(CVE-2024-45519 postjournal is the most recent, but certainly not the only one).
As your server has likely already been compromised, I wouldn't attempt to upgrade it in place, but build a new setup from scratch and migrate.
(CVE-2024-45519 postjournal is the most recent, but certainly not the only one).
As your server has likely already been compromised, I wouldn't attempt to upgrade it in place, but build a new setup from scratch and migrate.
-
- Posts: 1
- Joined: Wed Jan 22, 2025 6:48 am
Re: Am I stuck - where to from 8.8.10?
Zimbra no longer supports version 8.8.10, so no official patches for this version will be released