CVE-2012-3525: Input Validation
First published: Wed Aug 22 2012(Updated: )
A security flaw was found in the XMPP Dialback protocol implementation of jabberd2, OpenSource server implementation of the Jabber protocols (Verify Response and Authorization Response were not checked within XMPP protocol server to server session). A rogue XMPP server could use this flaw to spoof one or more domains, when communicating with vulnerable server implementation, possibly leading into XMPP's Server Dialback protections bypass. References: [1] <a href="http://xmpp.org/resources/security-notices/server-dialback/">http://xmpp.org/resources/security-notices/server-dialback/</a> Upstream patch: [2] <a href="https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d">https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jabber2 Jabberd2 | =2.1.19 | |
| Jabberd2 Jabberd2 | <=2.2.16 | |
| Jabberd2 Jabberd2 | =2.1 | |
| Jabberd2 Jabberd2 | =2.1.1 | |
| Jabberd2 Jabberd2 | =2.1.2 | |
| Jabberd2 Jabberd2 | =2.1.3 | |
| Jabberd2 Jabberd2 | =2.1.4 | |
| Jabberd2 Jabberd2 | =2.1.5 | |
| Jabberd2 Jabberd2 | =2.1.6 | |
| Jabberd2 Jabberd2 | =2.1.7 | |
| Jabberd2 Jabberd2 | =2.1.8 | |
| Jabberd2 Jabberd2 | =2.1.9 | |
| Jabberd2 Jabberd2 | =2.1.10 | |
| Jabberd2 Jabberd2 | =2.1.11 | |
| Jabberd2 Jabberd2 | =2.1.12 | |
| Jabberd2 Jabberd2 | =2.1.13 | |
| Jabberd2 Jabberd2 | =2.1.14 | |
| Jabberd2 Jabberd2 | =2.1.15 | |
| Jabberd2 Jabberd2 | =2.1.16 | |
| Jabberd2 Jabberd2 | =2.1.17 | |
| Jabberd2 Jabberd2 | =2.1.18 | |
| Jabberd2 Jabberd2 | =2.1.20 | |
| Jabberd2 Jabberd2 | =2.1.21 | |
| Jabberd2 Jabberd2 | =2.1.22 | |
| Jabberd2 Jabberd2 | =2.1.23 | |
| Jabberd2 Jabberd2 | =2.1.24 | |
| Jabberd2 Jabberd2 | =2.2.0 | |
| Jabberd2 Jabberd2 | =2.2.1 | |
| Jabberd2 Jabberd2 | =2.2.2 | |
| Jabberd2 Jabberd2 | =2.2.3 | |
| Jabberd2 Jabberd2 | =2.2.4 | |
| Jabberd2 Jabberd2 | =2.2.5 | |
| Jabberd2 Jabberd2 | =2.2.6 | |
| Jabberd2 Jabberd2 | =2.2.7 | |
| Jabberd2 Jabberd2 | =2.2.7.1 | |
| Jabberd2 Jabberd2 | =2.2.8 | |
| Jabberd2 Jabberd2 | =2.2.9 | |
| Jabberd2 Jabberd2 | =2.2.10 | |
| Jabberd2 Jabberd2 | =2.2.11 | |
| Jabberd2 Jabberd2 | =2.2.12 | |
| Jabberd2 Jabberd2 | =2.2.13 | |
| Jabberd2 Jabberd2 | =2.2.14 | |
| Jabberd2 Jabberd2 | =2.2.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2012-1538.html
- http://rhn.redhat.com/errata/RHSA-2012-1539.html
- http://secunia.com/advisories/50124
- http://secunia.com/advisories/50859
- http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01903.html
- http://www.openwall.com/lists/oss-security/2012/08/22/5
- http://www.openwall.com/lists/oss-security/2012/08/22/6
- http://www.securityfocus.com/bid/55167
- http://xmpp.org/resources/security-notices/server-dialback/
- https://bugzilla.redhat.com/show_bug.cgi?id=850872
- https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
- https://access.redhat.com/security/cve/CVE-2012-3525
- https://access.redhat.com/security/updates/classification/
- https://rhn.redhat.com/errata/RHSA-2012-1539.html
- https://rhn.redhat.com/errata/RHSA-2012-1538.html
- collector/redhat-bugzilla
- alias/CVE-2012-3525
- collector/nvd-index
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- vendor/jabber2
- canonical/jabber2 jabberd2
- version/jabber2 jabberd2/2.1.19
- vendor/jabberd2
- canonical/jabberd2 jabberd2
- version/jabberd2 jabberd2/2.2.16
- version/jabberd2 jabberd2/2.1
- version/jabberd2 jabberd2/2.1.1
- version/jabberd2 jabberd2/2.1.2
- version/jabberd2 jabberd2/2.1.3
- version/jabberd2 jabberd2/2.1.4
- version/jabberd2 jabberd2/2.1.5
- version/jabberd2 jabberd2/2.1.6
- version/jabberd2 jabberd2/2.1.7
- version/jabberd2 jabberd2/2.1.8
- version/jabberd2 jabberd2/2.1.9
- version/jabberd2 jabberd2/2.1.10
- version/jabberd2 jabberd2/2.1.11
- version/jabberd2 jabberd2/2.1.12
- version/jabberd2 jabberd2/2.1.13
- version/jabberd2 jabberd2/2.1.14
- version/jabberd2 jabberd2/2.1.15
- version/jabberd2 jabberd2/2.1.16
- version/jabberd2 jabberd2/2.1.17
- version/jabberd2 jabberd2/2.1.18
- version/jabberd2 jabberd2/2.1.20
- version/jabberd2 jabberd2/2.1.21
- version/jabberd2 jabberd2/2.1.22
- version/jabberd2 jabberd2/2.1.23
- version/jabberd2 jabberd2/2.1.24
- version/jabberd2 jabberd2/2.2.0
- version/jabberd2 jabberd2/2.2.1
- version/jabberd2 jabberd2/2.2.2
- version/jabberd2 jabberd2/2.2.3
- version/jabberd2 jabberd2/2.2.4
- version/jabberd2 jabberd2/2.2.5
- version/jabberd2 jabberd2/2.2.6
- version/jabberd2 jabberd2/2.2.7
- version/jabberd2 jabberd2/2.2.7.1
- version/jabberd2 jabberd2/2.2.8
- version/jabberd2 jabberd2/2.2.9
- version/jabberd2 jabberd2/2.2.10
- version/jabberd2 jabberd2/2.2.11
- version/jabberd2 jabberd2/2.2.12
- version/jabberd2 jabberd2/2.2.13
- version/jabberd2 jabberd2/2.2.14
- version/jabberd2 jabberd2/2.2.15