2018-02-07 11:47:12 |
Eugene Crosser |
description |
Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:
```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: 097569a80f3845d6f94a102ca0222249fec72c91@average.org ::ffff:194.226.137.229:56570 TLS
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab88e@average.org ::ffff:194.226.137.229:56589 TLS
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: b15ccb46d7197298474fb8d923701271f34b0fb2@average.org ::ffff:194.226.137.229:56592 TLS
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d4220d@average.org ::ffff:194.226.137.229:56611 TLS
```
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release. |
Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:
```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: 097569a80f3845d6f94a102ca0222249fec72c91@average.org ::ffff:194.226.137.229:56570 TLS
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: 369e2c61a89bad270f56e2c0cac4f01c9d0ab88e@average.org ::ffff:194.226.137.229:56589 TLS
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: b15ccb46d7197298474fb8d923701271f34b0fb2@average.org ::ffff:194.226.137.229:56592 TLS
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: 3105c6b061a13e9e24bc72ff51f2c2f127d4220d@average.org ::ffff:194.226.137.229:56611 TLS
```
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.
Apparently fixed by this upstream commit: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16 |
|