Re: Prosody XMPP server advisory 2022-01-13 (Remote Unauthenticated Denial of Service) (CVE request)

[Jonas Schäfer <jonas () wielicki name>]

Hi, quick update:

On Donnerstag, 13. Januar 2022 15:01:11 CET Jonas Schäfer wrote:
> If neither patching nor upgrading is an option, it is possible to unload
> the websocket module using:
>
> ```
> prosodyctl shell module unload websocket
> ```

This only works on recent Prosody trunk. On 0.11.x and earlier, you need to 

- use module:unload("websocket") from the telnet console, OR
- unload the module via an XMPP Ad-Hoc command OR
- if neither of these online ways are available, remove the module from the 
configuration and restart prosody.

kind regards,
Jonas

> However, note well that third-party modules may also use the vulnerable
> internal APIs to parse XML. Unloading websocket does not protect those
> other modules; only the patch or the upgrade can do that.
>
> **Fix**
>
> This issue is fixed in Prosody 0.11.12 by restricting the available XML
> features in the internal XML API.
>
> **Attribution**
>
> The issue was discovered during internal code review by Matthew Wild
> during the development of another feature. The patch was developed by
> Jonas Schäfer. A proof-of-concept exploit was developed by Jonas Schäfer
> and Kim Alvefur and will be published soon to allow administrators to
> check their instances.
>
> **Timeline**
>
> 2022-01-10: Discovery of the issue, development of an exploit as well as
> an initial patch. Sharing of this information with Jitsi and Snikket
> developers. Heads-up sent to the Snikket group chat.
>
> 2022-01-11: Refinement of the patch, release preparation. Heads-up sent
> to the Prosody group chat. Patch shared confidentially with Jitsi.
>
> 2022-01-12: Continued release preparation, notification of distros@.
>
> 2022-01-13: Coordinated Snikket and Prosody release with a
> fix, publication of the advisory.

Attachment: signature.asc
Description: This is a digitally signed message part.