oss-sec mailing list archives
Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request)
From: Jonas Schäfer <jonas () wielicki name>
Date: Thu, 13 Jan 2022 15:23:11 +0100
Hi, quick update: On Donnerstag, 13. Januar 2022 15:01:11 CET Jonas Schäfer wrote:
If neither patching nor upgrading is an option, it is possible to unload the websocket module using: ``` prosodyctl shell module unload websocket ```
This only works on recent Prosody trunk. On 0.11.x and earlier, you need to - use module:unload("websocket") from the telnet console, OR - unload the module via an XMPP Ad-Hoc command OR - if neither of these online ways are available, remove the module from the configuration and restart prosody. kind regards, Jonas
However, note well that third-party modules may also use the vulnerable internal APIs to parse XML. Unloading websocket does not protect those other modules; only the patch or the upgrade can do that. **Fix** This issue is fixed in Prosody 0.11.12 by restricting the available XML features in the internal XML API. **Attribution** The issue was discovered during internal code review by Matthew Wild during the development of another feature. The patch was developed by Jonas Schäfer. A proof-of-concept exploit was developed by Jonas Schäfer and Kim Alvefur and will be published soon to allow administrators to check their instances. **Timeline** 2022-01-10: Discovery of the issue, development of an exploit as well as an initial patch. Sharing of this information with Jitsi and Snikket developers. Heads-up sent to the Snikket group chat. 2022-01-11: Refinement of the patch, release preparation. Heads-up sent to the Prosody group chat. Patch shared confidentially with Jitsi. 2022-01-12: Continued release preparation, notification of distros@. 2022-01-13: Coordinated Snikket and Prosody release with a fix, publication of the advisory.
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer (Jan 13)
- Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer (Jan 13)
- Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE-2022-0217) Jonas Schäfer (Jan 13)
- Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request) Jonas Schäfer (Jan 18)