I got notified late this afternoon about a critical security vulnerability in zimbra. The email a bit short on details stating only:

This vulnerability allows unauthorized, remote access to files that are readable by the “zimbra user” account on the ZCS Mailbox Server (also known as mailbox service, or “mailboxd”).

All released versions (including the 6.0 betas) are affected. There is a link in the e-mail and also at support.zimbra.com.

Assuming you downloaded the patch to /tmp and are on Ubuntu and running ZCS 5.0.x (other linux ymmv), issue these three commands as root on each of your mailbox server.

#mkdir /opt/zimbra/save-07012009/ ; /etc/initd.d/zimbra stop

#mv /opt/zimbra/lib/jars/dom4j-1.5.jar ; /opt/zimbra/save-07012009/dom4j-1.5-lib.jar ; mv /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar /opt/zimbra/save-07012009/dom4j-1.5-common.jar ; cp /tmp/dom4j-1.5.jar /opt/zimbra/lib/jars/dom4j-1.5.jar ; cp /tmp/dom4j-1.5.jar /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar ; chown zimbra:zimbra /opt/zimbra/lib/jars/dom4j-1.5.jar ; chown zimbra:zimbra /opt/zimbra/jetty-6.1.5/common/lib/dom4j-1.5.jar

#/etc/init.d/zimbra start

Total downtime for us was less than 3 minutes per mailbox server.

There is no other information on the support pages and oddly enough no one in the forums seems to be talking about this either. I will update as I get more information.