OpenSSL and Spring Framework have both recently been the subject of several security alerts due to the discovery of new vulnerabilities. After investigating these concerns for some time, the Zimbra Engineering team has determined whether or not Zimbra would be affected. However, Zimbra appears to be unaffected by these latest problems.
Spring RCE Vulnerability (CVE-2022-22965)
During an investigation of our software and environment, the Zimbra Engineering team was unable to replicate the attack scenario as stated. An updated fix for the Spring Framework’s RCE vulnerability will be released for download no later than April 21st, in light of the fact that the problem is still growing and has a wide impact (CVE-2022-22965).
OpenSSL Vulnerability (CVE-2022-0778)
In an assessment of our software and runtime environment, the Zimbra Engineering team found that this attack is not possible with the default installation of Zimbra. According to The OpenSSL Project Authors, Zimbra’s next scheduled patch release will feature an upgraded OpenSSL library.
Zimbra not affected by log4j vulnerability
There is no evidence to support any of the currently supported Zimbra versions being at risk from the 0-day exploit vulnerability for log4j (CVE-2021-44228) (9.0.0 & 8.8.15). Log4j1 version 1.2.16, which is used by Zimbra Collaboration Server, does not have a function called a lookup expression, which is responsible for this vulnerability.
Here are a few additional details on recently discovered and previously known vulnerabilities:
– CVE-2021-4104: The current supported versions of Zimbra Collaboration Server are not vulnerable to this RedHat vulnerability (8.8.15 & 9.0.0). In order to exploit this issue, the server must have the ability to attach configuration files to JMSAppender. In Zimbra, the JMSAppender is not used.
– CVE-2022-23307: Zimbra has a vulnerability, but it cannot be exploited by hackers. In order for the system to be abused, Chainsaw must be operating. But it’s not operating, so it’s included.
– CVE-2022-23305: Zimbra does not execute the JDBCAppender, hence it is not affected by this issue.
Since Zimbra does not use the JMSSink, it is not affected by this vulnerability CVE-2022-23302. As stated, “Zimbra would like to alert its customers that it is possible for them to introduce an SSRF security vulnerability in the Proxy Servlet,” the company noted in its advisory. “If this servlet is configured to allow a particular domain (via zimbraProxyAllowed Domains configuration setting), and that domain resolves to an internal IP address (such as 127.0.0.1), an attacker could possibly access services running on a different port on the same server, which would normally not be exposed publicly.”
So, Open-source and commercially sponsored versions of Zimbra’s email, calendar, and collaboration suite are also available, with the latter including, among other things, a proprietary connector API for syncing mail, calendar, and contacts with Microsoft Outlook. More than 200,000 companies in 160 countries make use of it properly and perfectly.