CVE-2014-2741 Uncontrolled Resource Consumption with XMPP-Layer Compression

Description

http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2741

Several XMPP server implementations that support application-layer compression (XEP-0138) suffer from an uncontrolled resource consumption vulnerability (CWE-400). This vulnerability can be remotely exploited by attackers to mount Denial-of-Service attacks by sending highly-compressed XML elements over XMPP streams.

The vulnerability was reported by Giancarlo Pellegrino. This report was written by Giancarlo Pellegrino with assistance from Peter Saint-Andre.

Environment

None

Acceptance Test - Entry

None

Activity

Show:

Daryl Herzmann

April 17, 2014, 8:09 PM

Copy link to comment

http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77

hopefully mitigates this

Daryl Herzmann

April 17, 2014, 8:09 PM

Copy link to comment

Marking as fixed, added this after the commit so to ensure it hits the changelog

Assignee

Guus der Kinderen

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Core

Fix versions

3.9.2

Affects versions

3.9.1

Priority

Major

Configure