What is the severity of CVE-2012-3525?

CVE-2012-3525 has been rated as a high severity vulnerability due to its potential for spoofing and denial of service attacks.

How do I fix CVE-2012-3525?

To fix CVE-2012-3525, upgrade jabberd2 to version 2.2.16 or later to ensure proper verification of responses in the XMPP Dialback protocol.

What software is affected by CVE-2012-3525?

CVE-2012-3525 affects jabberd2 versions from 2.1.0 to 2.2.15, including all specific releases in this range.

Can CVE-2012-3525 lead to data leakage?

Yes, CVE-2012-3525 can allow a rogue XMPP server to potentially spoof connections and impersonate valid servers, leading to data leakage.

Is there a workaround for CVE-2012-3525 if I cannot upgrade jabberd2?

While upgrading is the best option, consider implementing strict firewall rules to limit access to the jabberd2 service as a temporary workaround.

Vulnerability/
CVE-2012-3525

medium

5.8

CWE

22/8/2012

25/8/2012

13/2/2023

CVE-2012-3525: Input Validation

First published: Wed Aug 22 2012(Updated: )

A security flaw was found in the XMPP Dialback protocol implementation of jabberd2, OpenSource server implementation of the Jabber protocols (Verify Response and Authorization Response were not checked within XMPP protocol server to server session). A rogue XMPP server could use this flaw to spoof one or more domains, when communicating with vulnerable server implementation, possibly leading into XMPP's Server Dialback protections bypass. References: [1] <a href="http://xmpp.org/resources/security-notices/server-dialback/">http://xmpp.org/resources/security-notices/server-dialback/</a> Upstream patch: [2] <a href="https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d">https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d</a>

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Jabberd	=2.1.19
Jabberd	<=2.2.16
Jabberd	=2.1
Jabberd	=2.1.1
Jabberd	=2.1.2
Jabberd	=2.1.3
Jabberd	=2.1.4
Jabberd	=2.1.5
Jabberd	=2.1.6
Jabberd	=2.1.7
Jabberd	=2.1.8
Jabberd	=2.1.9
Jabberd	=2.1.10
Jabberd	=2.1.11
Jabberd	=2.1.12
Jabberd	=2.1.13
Jabberd	=2.1.14
Jabberd	=2.1.15
Jabberd	=2.1.16
Jabberd	=2.1.17
Jabberd	=2.1.18
Jabberd	=2.1.20
Jabberd	=2.1.21
Jabberd	=2.1.22
Jabberd	=2.1.23
Jabberd	=2.1.24
Jabberd	=2.2.0
Jabberd	=2.2.1
Jabberd	=2.2.2
Jabberd	=2.2.3
Jabberd	=2.2.4
Jabberd	=2.2.5
Jabberd	=2.2.6
Jabberd	=2.2.7
Jabberd	=2.2.7.1
Jabberd	=2.2.8
Jabberd	=2.2.9
Jabberd	=2.2.10
Jabberd	=2.2.11
Jabberd	=2.2.12
Jabberd	=2.2.13
Jabberd	=2.2.14
Jabberd	=2.2.15

Remedy

https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2012-3525?
CVE-2012-3525 has been rated as a high severity vulnerability due to its potential for spoofing and denial of service attacks.
How do I fix CVE-2012-3525?
To fix CVE-2012-3525, upgrade jabberd2 to version 2.2.16 or later to ensure proper verification of responses in the XMPP Dialback protocol.
What software is affected by CVE-2012-3525?
CVE-2012-3525 affects jabberd2 versions from 2.1.0 to 2.2.15, including all specific releases in this range.
Can CVE-2012-3525 lead to data leakage?
Yes, CVE-2012-3525 can allow a rogue XMPP server to potentially spoof connections and impersonate valid servers, leading to data leakage.
Is there a workaround for CVE-2012-3525 if I cannot upgrade jabberd2?
While upgrading is the best option, consider implementing strict firewall rules to limit access to the jabberd2 service as a temporary workaround.

collector/redhat-bugzilla
alias/CVE-2012-3525
agent/type
agent/last-modified-date
agent/first-publish-date
agent/references
agent/event
agent/severity
agent/author
agent/weakness
agent/remedy
agent/description
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
vendor/jabber2
canonical/jabberd
version/jabberd/2.1.19
vendor/jabberd2
version/jabberd/2.2.16
version/jabberd/2.1
version/jabberd/2.1.1
version/jabberd/2.1.2
version/jabberd/2.1.3
version/jabberd/2.1.4
version/jabberd/2.1.5
version/jabberd/2.1.6
version/jabberd/2.1.7
version/jabberd/2.1.8
version/jabberd/2.1.9
version/jabberd/2.1.10
version/jabberd/2.1.11
version/jabberd/2.1.12
version/jabberd/2.1.13
version/jabberd/2.1.14
version/jabberd/2.1.15
version/jabberd/2.1.16
version/jabberd/2.1.17
version/jabberd/2.1.18
version/jabberd/2.1.20
version/jabberd/2.1.21
version/jabberd/2.1.22
version/jabberd/2.1.23
version/jabberd/2.1.24
version/jabberd/2.2.0
version/jabberd/2.2.1
version/jabberd/2.2.2
version/jabberd/2.2.3
version/jabberd/2.2.4
version/jabberd/2.2.5
version/jabberd/2.2.6
version/jabberd/2.2.7
version/jabberd/2.2.7.1
version/jabberd/2.2.8
version/jabberd/2.2.9
version/jabberd/2.2.10
version/jabberd/2.2.11
version/jabberd/2.2.12
version/jabberd/2.2.13
version/jabberd/2.2.14
version/jabberd/2.2.15