---

CVE-2021-32920 - log back

CVE-2021-32920 edited at 13 May 2021 15:14:18

References

https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption https://hg.prosody.im/trunk/rev/55ef50d6cf65 https://hg.prosody.im/trunk/rev/5a484bd050a7 https://hg.prosody.im/trunk/rev/aaf9c6b6d18d - https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values - https://hg.prosody.im/trunk/rev/c98aebe601f9 - https://hg.prosody.im/trunk/rev/13b84682518e - https://hg.prosody.im/trunk/rev/6f56170ea986

CVE-2021-32920 edited at 13 May 2021 15:14:01

References

https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption https://hg.prosody.im/trunk/rev/55ef50d6cf65 https://hg.prosody.im/trunk/rev/5a484bd050a7 https://hg.prosody.im/trunk/rev/aaf9c6b6d18d + https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values + https://hg.prosody.im/trunk/rev/c98aebe601f9 + https://hg.prosody.im/trunk/rev/13b84682518e + https://hg.prosody.im/trunk/rev/6f56170ea986

CVE-2021-32920 edited at 13 May 2021 15:11:52
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Denial of service
Description	+ A security issue was found in the Prosody.im XMPP server software before version 0.11.9. It was discovered that Prosody does not disable SSL/TLS renegotiation, even though this is not used in XMPP. A malicious client may flood a connection with renegotiation requests to consume excessive CPU resources on the server.
References	+ https://prosody.im/security/advisory_20210512/#dos-via-repeated-tls-renegotiation-causing-excessive-cpu-consumption + https://hg.prosody.im/trunk/rev/55ef50d6cf65 + https://hg.prosody.im/trunk/rev/5a484bd050a7 + https://hg.prosody.im/trunk/rev/aaf9c6b6d18d
Notes	+ Workaround + ========== + + The issue can be mitigated by setting the following ssl option (or add to your existing one if you have one): + + ssl = { + options = { + no_renegotiation = true; + } + }

CVE-2021-32920 created at 13 May 2021 14:59:33