Zimbra not affected by log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn't contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability. Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.
  • Recent Topics
    Replies
    Views
    Last post
  • Topics
    Posts
    Last post

Login  •  Register

Who is online

In total there are 108 users online :: 2 registered, 1 hidden and 105 guests (based on users active over the past 5 minutes)
Most users ever online was 2165 on Mon Jun 21, 2021 6:55 am

Registered users: Bing [Bot], Google [Bot]
Legend: Administrators, Global moderators

Statistics

Total posts 293607 • Total topics 65020 • Total members 39572 • Our newest member Robertabuize