Zimbra Releases/8.8.15/P40

Zimbra Collaboration Joule 8.8.15 Patch 40 GA Release

Release Date: May 30, 2023

Check out the Security Fixes, What's New, Fixed Issues, and Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation steps for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues.

NOTE: If you are upgrading or migrating from an older version of Zimbra to Zimbra 8.8 Production Ready, please read Things to Know Before Upgrading and First Steps with the Zimbra NG Modules for critical information before you upgrade.

IMPORTANT: Remove Client Uploader

A majority of customers now use other options to distribute packages to the end users. If you want to continue use ClientUploader then follow these manual steps for installation.


  • As root, install the package:
yum install zimbra-extension-clientuploader
yum install zimbra-zimlet-admin-clientuploader
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


  • As root, install the package:
apt-get install zimbra-extension-clientuploader
apt-get install zimbra-zimlet-admin-clientuploader
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart

Change in upgrade process for 8.8.15 Patch 40

Please note that the install process has changed. Additional steps to install zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages have been included for this patch release. Please refer to the Patch Installation steps to install the packages in its order.

Changes required for SSO setup before patch upgrade

Before upgrade, we need to set the zimbraVirtualHostName parameter for the domains that are using SAML and SSO based login. Please follow the instructions:

su - zimbra
zmprov md domain_name zimbraVirtualHostName virtual_hostname

Security Fixes

Summary CVE-ID CVSS Score Zimbra Rating
As part of continuous improvement, ClientUploader packages has been removed from core product and moved to an optional package CVE-2023-34193 TBD Medium
Added additional validations for 2FA login CVE-2023-29381 TBD Medium
A possible Cross-site Scripting (XSS) security vulnerability has been fixed CVE-2023-34192 TBD High
The Apache package has been upgraded to version 2.4.57 to fix multiple vulnerabilities CVE-2023-25690 9.8 Low
Remove unused JSP file which may bypass the Preauth verification CVE-2023-29382 TBD Low
The Apache CXF package has been upgraded to version 3.5.5 to fix SSRF vulnerability CVE-2022-46364 9.8 Low
The Spring Core package has been upgraded to version 6.0.8 to fix multiple vulnerabilities CVE-2022-22970 5.3 Low

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps.

What's New

Package Upgrade

  • The Apache package has been upgraded from 2.4.54 to 2.4.57
  • The Apache CXF package has been upgraded from 3.5.1 to 3.5.5
  • The Spring Core package has been upgraded from 5.3.18 to 6.0.8

Zimbra Connector for Outlook

  • To better manage storage on Outlook, the Auto Archive feature is now available for users. The settings can be accessed at File -> Options -> Advanced -> AutoArchive. By default the feature is disabled. This feature does not support auto archiving Calendar and Shared Inbox folders but we continue to support them through Manual Archive feature.

Fixed Issues

Zimbra Collaboration

  • Users can now add their Google calendar as an External calendar. ZBUG-2802
  • When using Load Balancer with a Zimbra Proxy server, if it receives multiple IP addresses in the X-Forwarded-For header, it treated it as one single IP to perform the Whitelist check which resulted in suspending it. The issue has been fixed and now a whitelist check is done on a single IP address even if multiple IP addresses are received. ZBUG-2250

Zimbra Web Client (ZWC)

  • Translations have been updated for Arabic, Deutsch (German), French Canadian, Danish, Hindi, Japanese and Español (Spanish).

Zimbra Connector for Outlook

  • Changes done to the tags are now updated correctly in the Web App. ZBUG-2067
  • The external and public sharing attributes were not honored in ZCO. The issue has been fixed. ZBUG-1380


  • To improve the testS3Connection command, a file is now uploaded on the bucket, read and finally deleted to confirm that the bucket is properly working.

NG Mobile

  • Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.
  • Fixed a bug that caused iOS mobile devices to synchronize replies to calendar appointments multiple times.
  • Fixed a bug that caused the attachment’s names with non-ASCII characters to be wrongly encoded when synchronizing via EAS.

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the [Installation] page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:


PackageName                                       -> Version
zimbra-patch                                      ->
zimbra-mta-patch                                  ->
zimbra-proxy-patch                                ->
zimbra-ldap-patch                                 ->
zimbra-common-core-jar                            ->
zimbra-mbox-war                                   ->
zimbra-common-core-libs                           ->
zimbra-mbox-webclient-war                         ->
zimbra-httpd                                      ->  2.4.57-1zimbra8.7b4
zimbra-spell-components                           ->  2.0.11-1zimbra8.8b1  ( RHEL8, UBUNTU20: 2.0.12-1zimbra8.8b1 )
zimbra-apache-components                          ->  2.0.10-1zimbra8.8b1
zimbra-extension-clientuploader                   ->
zimbra-zimlet-admin-clientuploader                ->  8.0.0


PackageName                                       -> Version
zimbra-patch                                      ->
zimbra-mbox-ews-service                           ->
zimbra-zco                                        ->
zimbra-network-modules-ng                         ->

Patch Installation

Please refer to below link to install Joule 8.8.15 Patch 40:

Patch Installation

Quick note: Open Source repo

The steps to download, build, and see our code via Github can be found here: https://github.com/Zimbra/zm-build

Jump to: navigation, search