Jabberd

jabberd2 before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled

Bug #1747893 reported by Eugene Crosser on 2018-02-07

256

This bug affects 1 person

	Status	Importance	Assigned to
Jabberd	Incomplete	Undecided	Unassigned
Debian	Fix Released	Unknown	debbugs #867032
jabberd2 (Ubuntu)	Fix Released	Undecided	Unassigned
Trusty	New	Undecided	Unassigned
Xenial	New	Undecided	Unassigned

Bug Description

Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:

```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56570 TLS
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56589 TLS
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56592 TLS
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:194.226.137.229:56611 TLS
```

There is Debian bug #867032 for this vulnerability.

Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.

Apparently fixed by this upstream commit: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16

See original description

CVE References

2017-10807

Eugene Crosser (crosser) on 2018-02-07

information type:

Private Security → Public Security

Eugene Crosser (crosser) on 2018-02-07

description:

updated

Bug Watch Updater (bug-watch-updater) on 2018-02-07

Changed in debian:
status:	Unknown → Fix Released

Revision history for this message

Steve Beattie (sbeattie) wrote on 2018-02-07:

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in jabberd2:
status:	New → Incomplete
Changed in jabberd2 (Ubuntu):
status:	New → Incomplete
status:	Incomplete → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #867032
[done grave security upstream patch fixed-upstream] Edit

Bug watches keep track of this bug in other bug trackers.