Zimbra Releases/9.0.0/P35

Zimbra Collaboration Kepler 9.0.0 Patch 35 GA Release

Release Date: August 23, 2023

Check out the Security Fixes, Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

NOTICE: One-Click vulnerability

A one-click security vulnerability in all versions of Zimbra Collaboration Suite has been discovered that could allow an unauthenticated attacker to gain access to a Zimbra account.

The patch will remove 3 files after which a mailbox restart is required, in case you cannot install the latest patch, manual mitigation steps (really simple ones) will be available via Zimbra Support Portal.

For customer's installing the patch on multi-server environment, the changes are applicable only to the Mailstore node. No packages will be installed on other nodes - MTA, Proxy, LDAP. So after applying this patch, the updated patch version will only be displayed for Mailstore node. The other nodes will continue to display previous installed patch version as Patch 9.0.0_P34.

Security Fixes

Summary CVE-ID CVSS Score
Bug that could allow an unauthenticated attacker to gain access to a Zimbra account. CVE-2023-41106 8.8

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                ->

Patch Installation

Please refer to the steps below to install Kepler 9.0.0 Patch 35 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important Note for ZCS Setup with Local ZCS repository: Customers who have set up local ZCS repository should first update the local repository by following instructions in wiki

If you have patch 33 or an older version installed, then follow below link to install Kepler 9.0.0 Patch 35:
Patch Installation link : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/patch_installation

If you have patch 34 installed, then follow below instructions to apply this patch only on mailbox node:


Install/Upgrade zimbra-patch on Mailbox node

  • As root, install the package:
yum install zimbra-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Install/Upgrade zimbra-patch on Mailbox node

  • As root, install package
apt-get install zimbra-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart
Jump to: navigation, search