ASA-202105-11 log original external raw

[ASA-202105-11] prosody: multiple issues
Arch Linux Security Advisory ASA-202105-11 ========================================== Severity: High Date : 2021-05-19 CVE-ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921 Package : prosody Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1955 Summary ======= The package prosody before version 1:0.11.9-1 is vulnerable to multiple issues including denial of service, authentication bypass, information disclosure and insufficient validation. Resolution ========== Upgrade to 1:0.11.9-1. # pacman -Syu "prosody>=1:0.11.9-1" The problems have been fixed upstream in version 0.11.9. Workaround ========== - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy. - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details. - CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option. - CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one): ssl = { options = { no_renegotiation = true; } } - CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack. Description =========== - CVE-2021-32917 (insufficient validation) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. mod_proxy65 is a file transfer proxy provided with Prosody to facilitate the transfer of files and other data between XMPP clients. It was discovered that the proxy65 component of Prosody allows open access by default, even if neither of the users have an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. The default configuration does not enable mod_proxy65 and is not affected. With mod_proxy65 enabled, all configurations without a 'proxy65_acl' setting configured are affected. - CVE-2021-32918 (denial of service) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that default settings leave Prosody susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3. - CVE-2021-32919 (authentication bypass) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. The undocumented option ‘dialback_without_dialback’ enabled an experimental feature for server- to-server authentication. A flaw in this feature meant it did not correctly authenticate remote servers, allowing a remote server to impersonate another server when this option is enabled. - CVE-2021-32920 (denial of service) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server. - CVE-2021-32921 (information disclosure) A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a timing attack to reveal the contents of secret strings to an attacker. Impact ====== A remote attacker could cause excessive use of the server's bandwidth and resources, leading to denial of service, impersonate other servers, or leak secret strings through timing attacks. References ========== https://prosody.im/security/advisory_20210512/#use-of-mod_proxy65-is-unrestricted-in-default-configuration https://hg.prosody.im/trunk/rev/65dcc175ef5b https://prosody.im/security/advisory_20210512/#dos-via-insufficient-memory-consumption-controls https://hg.prosody.im/trunk/rev/db8e41eb6eff https://hg.prosody.im/trunk/rev/b0d8920ed5e5 https://hg.prosody.im/trunk/rev/929de6ade6b6 https://hg.prosody.im/trunk/rev/63fd4c8465fb https://hg.prosody.im/trunk/rev/1937b3c3efb5 https://hg.prosody.im/trunk/rev/3413fea9e6db https://prosody.im/security/advisory_20210512/#undocumented-dialback-without-dialback-option-insecure https://hg.prosody.im/trunk/rev/6be890ca492e https://hg.prosody.im/trunk/rev/d0e9ffccdef9 https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption https://hg.prosody.im/trunk/rev/55ef50d6cf65 https://hg.prosody.im/trunk/rev/5a484bd050a7 https://hg.prosody.im/trunk/rev/aaf9c6b6d18d https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values https://hg.prosody.im/trunk/rev/c98aebe601f9 https://hg.prosody.im/trunk/rev/13b84682518e https://hg.prosody.im/trunk/rev/6f56170ea986 https://security.archlinux.org/CVE-2021-32917 https://security.archlinux.org/CVE-2021-32918 https://security.archlinux.org/CVE-2021-32919 https://security.archlinux.org/CVE-2021-32920 https://security.archlinux.org/CVE-2021-32921