Zimbra Releases/9.0.0/P36

Zimbra Collaboration Kepler 9.0.0 Patch 36 GA Release

Release Date: September 13, 2023

Check out the Security Fixes, Known Issues for this version of Zimbra Collaboration. Please refer to the Patch Installation page for Patch Installation instructions. As always, you are encouraged to tell us what you think in the Forums or open a support ticket to report issues

NOTICE: Guarding Against XSS: Security Update

Zimbra team identified security vulnerabilities in all versions of the Zimbra Collaboration Suite that could potentially allow unauthorised access to Zimbra accounts.

To address this, fixed the insufficient URL parameter sanitisation and removed deprecated file.

For customer's installing the patch on multi-server environment, the changes are applicable only to the Mailstore node. No packages will be installed on other nodes - MTA, Proxy, LDAP. So after applying this patch, the updated patch version will only be displayed for Mailstore node. The other nodes will continue to display previous installed patch version as Patch 9.0.0_P34.

Security Fixes

Summary CVE-ID CVSS Score
XSS on one of the web endpoint via non sanitised input parameter. CVE-2023-43103 TBD
An attacker can gain access of logged-in user’s mailbox through XSS. CVE-2023-43102 TBD

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.

Known Issues

  • While deploying zimlets, if the following error is encountered, please refer to the Patch Installation page to install the zimbra-common-core-jar, zimbra-common-core-libs, zimbra-mbox-store-libs packages in a particular order and re-deploy the zimlets.
/opt/zimbra/bin/zmjava: line 59: /bin/java: No such file or directory
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/logging/log4j/core/appender/ConsoleAppender$Target
       at com.zimbra.cs.localconfig.LocalConfigCLI.main(LocalConfigCLI.java:353)
Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.core.appender.ConsoleAppender$Target
       at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:602)
       at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
       ... 1 more
  • From Kepler-Patch-25 onwards, customers using SSO will need to update zimbraVirtualHostName attribute for the domains. Please refer to the instructions to update the attribute.
  • With JDK 17, weaker Kerberos encryption types like 3DES and RC4 have now been disabled by default. This can cause SPNEGO auth to fail if described encryption types are being used. We recommend using stronger encryption types like AES256.

To get SPNEGO auth working with weak encryption types, weak encryption can be enabled by setting the allow_weak_crypto property to true in the krb5.conf configuration file. Please follow below instructions:

1. In /opt/zimbra/jetty_base/etc/krb5.ini.in -> [libdefaults] section, set allow_weak_crypto = true

2. Restart mailboxd service:

su - zimbra
zmmailboxdctl restart


The package lineup for this release is:

PackageName                                       -> Version
zimbra-patch                                ->
zimbra-mbox-webclient-war                   ->

Patch Installation

Please refer to the steps below to install Kepler 9.0.0 Patch 36 on Redhat and Ubuntu platforms:

Before Installing the Patch, consider the following:

  • Patches are cumulative.
  • A full backup should be performed before any patch is applied. There is no automated roll-back.
  • Switch to zimbra user before using ZCS CLI commands.
  • Important! You cannot revert to the previous ZCS release after you upgrade to the patch.
  • Important Note for ZCS Setup with Local ZCS repository: Customers who have set up local ZCS repository should first update the local repository by following instructions in wiki

If you have patch 33 or an older version installed, then follow below link to install Kepler 9.0.0 Patch 36:
Patch Installation link : https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/patch_installation

If you have patch 34 or patch 35 installed, then follow below instructions to apply this patch only on mailbox node:


Install/Upgrade zimbra-patch on Mailbox node

  • As root, install the package:
yum install zimbra-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart


Install/Upgrade zimbra-patch on Mailbox node

  • As root, install package
apt-get install zimbra-patch
  • Restart ZCS as zimbra user:
su - zimbra
zmcontrol restart
Jump to: navigation, search