================================================================== CERT-Renater Note d'Information No. 2022/VULN135 _____________________________________________________________________ DATE : 04/04/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zimbra versions prior to 9.0.0 P24, 8.8.15. ====================================================================https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P31#Security_Fixes https://blog.zimbra.com/2022/03/new-zimbra-patches-9-0-0-patch-24-and-8-8-15-patch-31/ _____________________________________________________________________ Security Fixes Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. CVE-2021-40438 CVE-2021-39275 9.0 Critical 9.0.0 P24 Upgraded PHP to 7.4.27 to avoid DoS vulnerability. CVE-2021-21702 7.5 High 9.0.0 P24 An endpoint URL accepts parameters without sanitizing it caused XSS vulnerability. CVE-2022-27926 TBD Medium 9.0.0 P24 RCE through mboximport from authenticated user. CVE-2022-27925 TBD Medium 9.0.0 P24 Memcached poisoning with unauthenticated request. CVE-2022-27924 TBD High 9.0.0 P24 _____________________________________________________________________ Security Fixes Summary CVE-ID CVSS Score Zimbra Rating Fix Patch Version Upgraded Apache to 2.4.53 to avoid multiple vulnerabilities. CVE-2021-40438 CVE-2021-39275 9.0 Critical 9.0.0 P24 Upgraded PHP to 7.4.27 to avoid DoS vulnerability. CVE-2021-21702 7.5 High 8.8.15 P31 RCE through mboximport from authenticated user. CVE-2022-27925 TBD Medium 8.8.15 P31 Memcached poisoning with unauthenticated request. CVE-2022-27924 TBD High 8.8.15 P31 _____________________________________________________________________ Zimbra 9.0.0 “Kepler” Patch 24 and 8.8.15 “James Prescott Joule” Patch 31 are here. Update on Log4j Vulnerability After intensive review and testing, Zimbra Development determined that the zero-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the currently supported Zimbra versions (9.0.0 & 8.8.15). Zimbra currently uses Log4j version 1.2.16. The cause of the vulnerability is found in the lookup expression feature in Log4j versions 2.0 to 2.17. Please refer to the release notes for more information. Zimbra 9.0.0 “Kepler” Patch 24 Patch 24 is here for the Zimbra 9.0.0 “Kepler” GA release, and it includes What’s New, Security Fixes, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 9.0.0 Patch 24 installation on Red Hat and Ubuntu platforms. Zimbra 8.8.15 “James Prescott Joule” Patch 31 Patch 31 is here for the Zimbra 8.8.15 “James Prescott Joule” GA release, and it includes What’s New, Security Fixes, Fixed Issues and Known Issues as listed in the release notes. Please refer to the release notes for Zimbra 8.8.15 Patch 31 installation on Red Hat and Ubuntu platforms. Note: For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands. You cannot revert to the previous Zimbra release after you upgrade to the patch. Thanks, Your Zimbra Team ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================--------------HAWqZBsmqBfbfu5ftskxMosF--