Below are some information about Zimbra + log4j zero day :
# Posted by andreaswolske on Zimbra Forum (Sat Dec 11, 2021)
0-day Exploit Vulnerability for log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development has determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). The current version of log4j used in Zimbra is 1.2.16. The vulnerability occurs in log4j versions 2.0 and higher.
Source: Zimbra Forum
# Posted by remkop on Github
Update (2021-12-11 09:09 JST): according to this analysis by @ceki (the author of log4j 1.x), Log4j 1.x is not impacted, since it does not have lookups, and the JMS Appender only loads Strings from the remote server, not serialized objects.
Update (2021-12-12 10:09 JST): according to this analysis by @TopStreamsNet, strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.
Source : Github
Update Tue 14 Dec 2021 18:14 WIT (GMT+7)
Zimbra has published information about log4j on the Blog. Please read here: https://blog.zimbra.com/2021/12/11825/
# barrydegraaff (Zimbra employee) update and comment on the zimbra forum
After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15).
Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn’t contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability.
Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.
Source: Zimbra Forum
Some precautions
# Tips from maxxer
Made this rule for nginx
if ($http_user_agent ~* (jndi) ) { return 403; } location ~* jndi { return 403; }
Placed in /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and then proxy service restarted
Source : Zimbra Forum
# Tips from andreaswolske
Added “log4j2.formatMsgNoLookups=true” to zimbra_zmjava_options
Before
zmlocalconfig zimbra_zmjava_options zimbra_zmjava_options = -Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true
Note: Please adjust with your configuration before apply this rule
After
zmlocalconfig -e zimbra_zmjava_options="-Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true" zmcontrol restart
Source: Zimbra Forum
For more information about Zimbra + log4j, stay tuned to the Zimbra forums here: https://forums.zimbra.org/viewtopic.php?f=15&t=70240
Thank you Iman. For older versions will there be any way to mitigate the bug?
Greetings
Hi Mariano,
If you are still using log4j1 version 1.2.16, your zimbra is not affected. However, I recommend you to upgrade to the latest version
Hi, iman.I am always looking your blog and thank you.
On a different note…about this subject…sorry.
I want you to teach me how different between zimbra(by zextras) and carbonio?
I suppose carbonio(CE edition) is successor after zimbra? Is it wrong?
If you know about it, please tell me.
Regards
Hi Funig,
It seems like that. I cannot give more details. I look forward to the release of Zextras Carbonio 🙂
Thank you for your reply.I look forward to the release, too.
Hi,
log4j2.formatMsgNoLookups=true
is only for log4j v2 as you can see in the name of property.
If I understand, zimbra in all versione use log4j 1.2.x, so this property is not needed.