New Patch Release: Critical Cross-Site Scripting (XSS) Vulnerabilities Addressed in Zimbra

Zimbra has rolled out an important patch update focusing on fixing multiple Cross-Site Scripting (XSS) vulnerabilities across various editions of its platform. The patch, while categorized with medium severity, is essential for enhancing both the security and user experience for Zimbra users.
Zimbra

Affected Editions and Release Highlights

The latest patch release brings critical security fixes to the following Zimbra versions:

  • Zimbra Daffodil 10.1.1
  • Zimbra Daffodil 10.0.9
  • Zimbra 9.0.0 Patch-41

Zimbra’s updates aim to mitigate several security risks and improve functionality across these editions. Notably, support for Zimbra 9.0.0 will continue until December 31, 2024, giving users a timeline to ensure they’re up to date with the latest patches.


One-Time Fix for Zimbra 8.8.15

Although Zimbra 8.8.15 reached the end of general support last year, a one-time fix has been released to address a critical security issue impacting many legacy deployments. This patch, Zimbra 8.8.15 Patch-46, is a significant update for users who have yet to upgrade to newer versions. However, Zimbra strongly encourages users to migrate to the latest Daffodil versions to ensure long-term security and support.


New Features in Zimbra Daffodil 10.1.1

This update introduces a host of new features aimed at improving user and admin experience. Below are some key highlights:

  • RHEL 9, Rocky 9, and Oracle 9 Support (Beta): Available in 10.1.1, with General Availability (GA) expected soon.
  • Ubuntu 22 GA: Supported in 10.1.1. To enable FIPS mode, an Ubuntu 22 Pro subscription is required.
  • Zimbra Collaboration: A new feature allows administrators to hide aliases in the GAL (Global Address List) through CLI and Admin Console.
  • Modern Web App: Enhancements include the ability for users to export emails as EML files, improved calendar management, and access to more font types for a better user experience on mobile devices.

Security Enhancements: XSS Fixes

The core focus of this patch release is addressing several Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities, if left unpatched, could allow attackers to inject malicious scripts, potentially leading to data compromise or account takeovers. Zimbra has resolved these issues across the Modern Web App, Classic Web App, Admin Console, and the Zimbra Connector for Outlook.


Fixed Issues Across Platforms

This patch release addresses multiple bugs and performance issues across:

  • Zimbra Collaboration: Various stability and usability improvements.
  • Modern Web App: Enhanced usability with new feature updates.
  • Classic Web App: Performance tweaks and security patches.
  • Admin Web Console: Improved control and management for admins.
  • Zimbra Connector for Outlook: Optimized syncing and connectivity.

Conclusion

This patch release is critical for users running various versions of Zimbra, especially for those still on Zimbra 8.8.15, as it includes essential security updates. The deployment risk is marked as medium, which means administrators should plan for a proper rollout in production environments after necessary testing in staging areas.

Recommended Action: Administrators are advised to upgrade to the latest Zimbra Daffodil versions to benefit from the new security enhancements and features. For those still on Zimbra 8.8.15, the one-time fix should be applied immediately to mitigate critical vulnerabilities.


Note: Beta features introduced in this release are not supported for production systems and should be tested in a lab environment only. Stay tuned for upcoming patches that will include General Availability for some of these new features.

Make sure to read the official Zimbra release notes for detailed information on this patch update.

Click below and ‘share’ this article!