After intensive review and testing, Zimbra Development determined that the zero-day exploit vulnerability for Log4j (CVE-2021-44228) does not affect the currently supported Zimbra versions (9.0.0 & 8.8.15).
Zimbra currently uses Log4j version 1.2.16. The cause of the vulnerability is found in the lookup expression feature in Log4j versions 2.0 to 2.17.
Here are updates on the reported vulnerabilities:
CVE-2021-4104: This Red Hat vulnerability does not affect the currently supported Zimbra versions (8.8.15 & 9.0.0). For this vulnerability to affect Zimbra, it needs JMSAppender and the ability to append configuration files. Zimbra does not use the JMSAppender.
CVE-2022-23307: Zimbra is vulnerable but is not exploitable. To be exploited, the system must be running Chainsaw. It is included but is never running.
CVE-2022-23305: Zimbra is not vulnerable to this vulnerability, since it does not run the JDBCAppender.
CVE-2022-23302: Zimbra is not vulnerable to this vulnerability, since it does not run the JMSSink.
Zimbra is in the process of upgrading Log4j and expect it to be completed within the first quarter of 2022.
