Emergency patch released for SSRF flaw in Zimbra Collaboration Suite, advised immediate patching
Take action: If you're running Zimbra Collaboration Suite (versions 10.1.5 through 10.1.11), update immediately to version 10.1.12. There's an active SSRF flaw that can easily be exploited. Zimbra is urging immediate patching.
Learn More
Zimbra has released an emergency security patch to fix a critical Server-Side Request Forgery (SSRF) vulnerability in its Collaboration Suite that could enable malicious actors to gain unauthorized access to internal resources and sensitive user data by manipulating URL requests to force the server to perform unintended actions.
The flaw (No CVE code) is in the chat proxy configuration component. The chat proxy configuration module fails to sanitize user-supplied input, and attackers can create malicious requests that can route through Zimbra's internal network infrastructure.
Zimbra Collaboration Suite versions from 10.1.5 through 10.1.11 are vulnerable.
Zimbra has released version 10.1.12 as an emergency patch to patch this SSRF vulnerability. The update includes the zimbra-proxy-patch package (version 10.1.12.1760086549-1) and introduces several performance stability improvements alongside the security fix.
Organizations upgrading from version 10.1.3 or earlier must ensure they are using the latest version of the zimbra-lds-patch package due to changes in the licensing system. After completing the upgrade to version 10.1.12, administrators must reactivate their license using the command zmlicense -a <license_key> as the zimbra user to maintain proper synchronization. For multi-server environments, it's important to note that after this upgrade, proxy node servers will display the 10.1.12 version tag while other nodes will continue to show 10.1.11.
