Zimbra + Log4j 0day

Posted by

Below are some information about Zimbra + log4j zero day :

# Posted by andreaswolske on Zimbra Forum (Sat Dec 11, 2021)

0-day Exploit Vulnerability for log4j (CVE-2021-44228)
After intensive review and testing, Zimbra Development has determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15). The current version of log4j used in Zimbra is 1.2.16. The vulnerability occurs in log4j versions 2.0 and higher.

Source: Zimbra Forum

# Posted by remkop on Github

Update (2021-12-11 09:09 JST): according to this analysis by @ceki (the author of log4j 1.x), Log4j 1.x is not impacted, since it does not have lookups, and the JMS Appender only loads Strings from the remote server, not serialized objects.

Update (2021-12-12 10:09 JST): according to this analysis by @TopStreamsNet, strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.

Source : Github

Update Tue 14 Dec 2021 18:14 WIT (GMT+7)

Zimbra has published information about log4j on the Blog. Please read here: https://blog.zimbra.com/2021/12/11825/

# barrydegraaff (Zimbra employee) update and comment on the zimbra forum

After intensive review and testing, Zimbra Development determined that the 0-day exploit vulnerability for log4j (CVE-2021-44228) does not affect the current Supported Zimbra versions (9.0.0 & 8.8.15).

Zimbra Collaboration Server currently uses log4j1 version 1.2.16 which doesn’t contain the lookup expression feature that is found within versions 2.0 to 2.17, which is the cause of the vulnerability.

Also, Redhat (CVE-2021-4104) vulnerability does not affect the Zimbra Collaboration Server version (8.8.15 & 9.0.0). For this vulnerability to affect the server, it needs JMSAppender, which the ZCS Server does not use, and the ability to append configuration files.

Source: Zimbra Forum

Some precautions

# Tips from maxxer

Made this rule for nginx

if ($http_user_agent ~* (jndi) ) {
   return 403;
}
location ~* jndi {
   return 403;
}

Placed in /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and then proxy service restarted

Source : Zimbra Forum

# Tips from andreaswolske

Added “log4j2.formatMsgNoLookups=true” to zimbra_zmjava_options

Before

zmlocalconfig zimbra_zmjava_options
zimbra_zmjava_options = -Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true

Note: Please adjust with your configuration before apply this rule
After

zmlocalconfig -e zimbra_zmjava_options="-Xmx256m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true"
zmcontrol restart

Source: Zimbra Forum

For more information about Zimbra + log4j, stay tuned to the Zimbra forums here: https://forums.zimbra.org/viewtopic.php?f=15&t=70240

6 comments

    1. Hi Mariano,
      If you are still using log4j1 version 1.2.16, your zimbra is not affected. However, I recommend you to upgrade to the latest version

  1. Hi, iman.I am always looking your blog and thank you.
    On a different note…about this subject…sorry.
    I want you to teach me how different between zimbra(by zextras) and carbonio?
    I suppose carbonio(CE edition) is successor after zimbra? Is it wrong?
    If you know about it, please tell me.

    Regards

  2. Hi,
    log4j2.formatMsgNoLookups=true
    is only for log4j v2 as you can see in the name of property.
    If I understand, zimbra in all versione use log4j 1.2.x, so this property is not needed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.