Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.
Xenial 16.04.3 LTS ships with jabberd2 version 2.3.4-1ubuntu2 (as of this report). This version is vulnerable to CVE-2017-10807, namely it allows "anonymous" SASL authentication even when that option is switched off in the configuration:
``` 194.226. 137.229: 56570 TLS 194.226. 137.229: 56589 TLS 194.226. 137.229: 56592 TLS 194.226. 137.229: 56611 TLS
Feb 06 13:34:24 dehost jabberd/c2s[2662]: [68] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:29 dehost jabberd/c2s[2662]: [69] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:30 dehost jabberd/c2s[2662]: [76] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
Feb 06 13:34:35 dehost jabberd/c2s[2662]: [71] ANONYMOUS authentication succeeded: <email address hidden> ::ffff:
```
There is Debian bug #867032 for this vulnerability.
Current upstream versions of jabberd2 are not vulnerable; in particular version 2.6.1-1 that ships with artful is _probably_ not vulnerable, so this report only applies to the LTS release.